Those bound by PCI DSS compliance need to prepare for sweeping authentication changes coming in June 2018.

    PCI DSS Compliance Requires 2FA by June of 2018


    By: Frank J. Ohlhorst

    When it comes to compliance, one thing is certain, and that is change. After all, compliance is all about protecting data, ensuring privacy, and making sure that businesses adhere to laws, all of which are impacted by the latest cyber threats and potentially fraudulent schemes. These realizations that force compliance requirements to evolve rather rapidly, impacting those that are bound to legislative compliance issues.

    Case in point is the ever-shifting requirements of PCI DSS compliance, which encompasses pretty much any electronic payment interaction using credit or other payment cards. Those bound by PCI DSS compliance need to prepare for sweeping authentication changes coming in June 2018.

    The extreme focus on PCI DSS compliance is fully merited, especially when one considers the numerous attacks on credit card processing systems and the resulting fraud, and privacy violations.

    For 2018, there is change in the air of PCI compliance, new requirements are on the horizon that will impact any businesses that deals with PCI, the biggest of which impacting both merchants and service providers, including:

    Requirement 6.4.6:  Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. This requirement mandates that significant changes need to be identified and the qualified security assessor (QSA) must be able to then ensure that all relevant PCI requirements were completed because of these significant changes. The biggest impacts here are related to:

    -        Having a documented definition for what your organization considers a “significant change”

    -        Being able to identify and document all significant changes through your change management system

    -        Being able to prove that vulnerability scanning (11.2.3), penetration testing (11.3.1 and 11.3.2) and risk assessment updates (12.2) were conducted as a result of the significant change

    This change is to address issues the PCI Council has found through their quality management reviews of assessments that are too often finding that organizations are not following the significant change portions of these requirements. And with change being an inevitability, that means addressing other requirements will drive documentation and administrative adjustments.

    Requirement 8.3.1: Incorporate multi-factor authentication for all non-console access into the cardholder data environment (CDE) for personnel with administrative access. Although this change should be self-explanatory, there are still many questions surrounding. Simply put, 8.3.1 is mandating that all non-console administrative access to systems/devices in the cardholder data environment requires some form of multi-factor authentication (MFA). In other words, MFA must be used by all administrators of CDE systems/devices.

    Requirement 8.3.2: Goes one step further and requires that MFA must be used for any remote access as well. While that may sound simple, it is how 8.3.1 and 8.3.2 interact that can create some additional confusion. In a nutshell, an administrator that is on the internal network, requirement 8.3.1 means they will need to use MFA to gain administrative access to any CDE system or device. If that same administrator is working remotely, 8.3.2 means that they will have to use MFA to get connected to the internal network and then use MFA again to gain administrative access to any CDE system or device.

    For internal and remote access, the same MFA solution can be used, but it will have to be setup so that authentication occurs during both steps of connectivity, basically to ensure that MFA factors are not reused for both internal and external access.


    In the world of InfoSec, change can be a good thing. The implementation of MFA will go a long way towards protecting systems and preserving privacy. What’s more, the adoption of MFA across the board can strengthen over all security in an enterprise and will bring additional benefits in the form of user management, auditability, and stronger access policies.

    With the rise of spear phishing attacks and other scams, better protecting credentials is a great start towards enhancing security, and MFA is probably the quickest and simplest way to make that happen.  

    For more information on how MFA can improve security, meet compliance requirements, and be quickly extended across an enterprise, please visit    


    Ready to Get Started?

    Let's Talk