How to enforce PCI DSS 3.2 requirements
Requirements for the use of multifactor authentication tools for additional user groups, as well as the need to integrate additional systems, are directly dictated by the additional PCI Supplementary Guidance published earlier, which takes effect from February 2018. From this point on, all users accessing such systems as databases, network modules, or mail servers that contain data of bank card holders will be required to apply multi-factor authentication. The new manual applies to all roles and locations: privileged and normal users, remote and local users.
We have already discussed the latest changes in the PCI DSS 3.2 standard , which are mainly devoted to the use of multi-factor authentication (MFA), and which make mandatory the use of multi-factor authentication for users accessing the cardholder data environment CDE) from the office.
The purpose of this additional guide is to create standards of best practice for those companies that are faced with the task of expanding the scope of multifactor authentication, as well as for those who are thinking about how best to ensure compliance with the authentication requirements of the PCI DSS standard.
')
The PCI guide mentions some of the key principles of multi-factor authentication.
For organizations that have not yet implemented multi-factor authentication tools:
Our advice to organizations that have not yet installed multifactor authentication solutions is as follows: you must choose a multifactor authentication solution that takes into account all the use cases provided by the PCI standard. In addition, it is important to ensure that the MFA solution under consideration supports a wide variety of applications. This will allow IT to implement a unified tool that will meet all PCI requirements for all users, ensuring the protection of the necessary applications.
For organizations that need to expand the scope of multifactor authentication tools and use them in new scenarios:
For organizations that have already implemented solutions for multi-factor authentication, but which need to expand their scope of application, including network access control, such a project allows to consolidate authentication tools into a single platform that will meet the requirements of the PCI standard and other constantly changing regulatory requirements. Possible solutions include the use of PKI smart cards, which allow the use of multi-factor authentication for network access, privileged access, remote access and logical access with a single solution, which minimizes the administrative burden on IT and provides an extremely user-friendly experience.
For those who would like to better understand the compliance with the requirements of the standard PCI DSS (Payment Card Industry Data Security Standard) - our document Complying with the Payment Card Industry Data Security Standard - White Paper (eng.).
We have already discussed the latest changes in the PCI DSS 3.2 standard , which are mainly devoted to the use of multi-factor authentication (MFA), and which make mandatory the use of multi-factor authentication for users accessing the cardholder data environment CDE) from the office.
The purpose of this additional guide is to create standards of best practice for those companies that are faced with the task of expanding the scope of multifactor authentication, as well as for those who are thinking about how best to ensure compliance with the authentication requirements of the PCI DSS standard.
')
The PCI guide mentions some of the key principles of multi-factor authentication.
- Multifactor authentication mechanisms should work independently of each other and should not compromise each other, that is, during access authentication, authentication factors should not depend on each other.
- Passwords used must be secured and must be difficult to guess. Hardware and biometric data should be stored in a safe and secure place that does not allow unauthorized copies.
- It is necessary to take into account the peculiarities of local laws and regulations, since it is possible that there are additional local requirements.
Best Practices
For organizations that have not yet implemented multi-factor authentication tools:
Our advice to organizations that have not yet installed multifactor authentication solutions is as follows: you must choose a multifactor authentication solution that takes into account all the use cases provided by the PCI standard. In addition, it is important to ensure that the MFA solution under consideration supports a wide variety of applications. This will allow IT to implement a unified tool that will meet all PCI requirements for all users, ensuring the protection of the necessary applications.
For organizations that need to expand the scope of multifactor authentication tools and use them in new scenarios:
For organizations that have already implemented solutions for multi-factor authentication, but which need to expand their scope of application, including network access control, such a project allows to consolidate authentication tools into a single platform that will meet the requirements of the PCI standard and other constantly changing regulatory requirements. Possible solutions include the use of PKI smart cards, which allow the use of multi-factor authentication for network access, privileged access, remote access and logical access with a single solution, which minimizes the administrative burden on IT and provides an extremely user-friendly experience.
For those who would like to better understand the compliance with the requirements of the standard PCI DSS (Payment Card Industry Data Security Standard) - our document Complying with the Payment Card Industry Data Security Standard - White Paper (eng.).
Source: https://habr.com/ru/post/340228/
All Articles