Initially introduced in 2004, the PCI DSS guidelines are applicable to any entity that stores, handles, or transmits cardholder data. Organizations seeking to demonstrate PCI DSS adherence undergo certifications and tests for all systems interacting with the cardholder environment.
In March 2022, the Council announced the release of PCI DSS version 4.0, offering guidelines aimed at enhancing the security of account holder and payment card data within today's dynamic cyber threat landscape. The existing version, 3.2.1, is scheduled for official deprecation in March 2024, after which organizations will be required to implement version 4.0 guidelines over a span of twelve months.
While version 4.0 introduces enhancements across various aspects, a significant portion pertains to robust authentication prerequisites, particularly those related to password utilization and multi-factor authentication (MFA). Feeble forms of authentication expose organizations and data to risks like brute force attacks, credential phishing, and a variety of password-related assaults. Gaining an understanding of these fresh stipulations is essential for PCI DSS compliance.
Password Stipulations in PCI DSS 4.0
Among the substantial transformations in PCI DSS version 4 is the introduction of highly stringent specifications pertaining to passwords. PCI DSS 4.0 password stipulations (sections 8.3.4-8.3.9) include:
Passwords must exhibit length and complexity: As per PCI DSS 4.0 requisites, passwords must comprise a minimum of 12 characters.
Passwords necessitate resetting every 90 days and must not be reused: An exemption is provided if continuous, risk-based authentication is implemented. This approach involves dynamic analysis of account security status, thereby automatically determining real-time access permissions.
Employing longer passwords poses additional burdens for users and heightens the likelihood of them being noted down or insecurely stored on devices. Compulsory updates often trigger unsafe user behaviours, with minor alterations that hackers can easily guess. Furthermore, these prerequisites are likely to result in increased help desk inquiries, further increasing operational costs.
Mandatory MFA for All CDE Access
Under PCI DSS 3.2.1 guidelines, MFA was exclusively obligatory for administrators accessing the cardholder data environment (CDE). The updated PCI DSS MFA directives (8.4.2) mandate multi-factor authentication for all CDE access instances. These MFA requirements encompass diverse system components, including cloud platforms, hosted systems, on-premises applications, network security devices, workstations, servers, and endpoints.
The new regulations emphasize the imperative of multi-factor authentication for every instance of CDE access. This will introduce considerable friction for personnel, potentially impacting both productivity and employee satisfaction. Furthermore, a majority of organizations lack the appropriate technology or systems to fulfil the MFA requirement for desktops, workstations, and servers, even if they already employ some form of MFA.
Universal MFA Mandate for Remote Access
Formerly, MFA was a requirement solely for remote access to the cardholder data environment. With the updated PCI DSS MFA guidelines, any individual logging in from beyond the secured network perimeter, even if not directly accessing the CDE, must employ multi-factor authentication. This encompasses all employees—users and administrators—as well as third parties and vendors. Moreover, any web-based access, even for on-site employees, necessitates MFA.
Effectively, this mandates the utilization of MFA for your entire remote, hybrid, or externally-supporting workforce at all times. It further mandates the adoption of MFA for any employee utilizing web-based applications to access networks and systems, irrespective of whether they are on-site. Beyond the costs and IT overheads associated with implementing MFA, cumbersome MFA procedures could negatively impact both employee efficiency and contentment.
How to achieve PCI DSS 4.0 Compliance with SystoLOCK
The new PCI DSS framework now aligns more closely with NIST SP 800-63B Digital Identity Guidelines, guidance from CISA and other regulatory bodies advocating the adoption of phishing-resistant MFA and a Zero Trust authentication approach.
SystoLOCK assists organizations in fulfilling PCI DSS MFA prerequisites as well as various other provisions within the standard. SystoLOCK replaces the conventional password-centric and a 2FA approach with secure passwordless authentication. Many elements of the solution, including biometric authentication, trusted device possession, and cryptographically secured tokens, ensure robust, phishing-resistant multi-factor authentication in compliance with PCI DSS requirements.
Furthermore, SystoLOCK substantially enhances user experience, eliminating the need for intricate passwords and streamlining multi-factor authentication to a single user action.
For insights into how SystoLOCK can aid your organization in meeting PCI DSS 4.0 mandates, we encourage you to connect
with one of our experts.