PCI DSS Requirement 8.3: What is two-factor authentication, and when is it required?

As a Qualified Security Assessor (QSA), SecureWorks conducts many consulting engagements each year with merchants that need help meeting the Payment Card Industry Data Security Standards(PCI DSS). One of the areas customers often ask for guidance on is Requirement 8.3, which specifies that merchants must use two-factor authentication for providing remote access to their network.

The requirement states that organizations must "incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties." The objective of this requirement - and of other line item requirements in section 8 - is to ensure that merchants implement strong access control measures so that authorized individuals with network and computer access can be monitored and traced.

While Requirement 8.3 seems fairly clear, merchants are often unsure how to best address it. Questions are usually centered on one of two areas: what is two-factor authentication, and when does it have to be deployed in relation to PCI standards?

What is Two-Factor Authentication?

Two-factor authentication is the combination of at least two different validation methods during any single authentication request. All authentication methods are based around one of three basic types of authentication identifiers: something you know, something you have, and something you are. "Something you know" is a knowledge-based identifier, most commonly represented as a password or pass phrase. "Something you have" is most commonly represented as a token or smart card based identifier. "Something you are" is most commonly represented as a biometric identifier, such as a fingerprint, or other unique physical attribute.

By combining any two of the three authentication identifiers during a single authentication request, the authentication function is strengthened dramatically, and represents a true two-factor authentication mechanism. One thing to remember about two-factor authentication is that its strength is greater than the sum of its individual parts. Any single-factor authentication mechanism may be attacked directly. The combination of both factors requires an attacker to apply two distinctly different attack vectors to attack the authentication mechanism.

When is Two-Factor Authentication Required?

All remote access to the PCI network must utilize two-factor authentication. In simple terms, remote access can be interpreted as any connection or access that crosses public networks. If any of the networks between the access source and Cardholder Data Environment (CDE) are considered to be public, or owned and operated by another entity, then the access should be considered remote. Virtual Private Networks (VPN) technologies create some interesting exceptions, as they effectively cause remote networks to behave like local networks.

For the purposes of requirement 8.3, point-to-point VPN technologies can be considered local network access, and Remote Access (RA) or client VPN technologies should be considered as remote. In both cases, you may need additional review to ensure that the controls adequately meet the intent of the requirement to utilize two-factor authentication for remote access to the CDE.

Common Misconceptions

One common misconception of Requirement 8.3 can be seen with the interpretation and definition of the term two-factor authentication. Some organizations interpret two-factor authentication to mean two authentication identifiers applied individually to two different authentication requests. In these cases, each authentication request only utilizes a single authentication identifier. Two single-factor authentication steps do not equal two-factor authentication.

Another common misconception is that Requirement 8.3 includes all access to the CDE, not just remote access. In these cases, organizations may deploy two-factor authentication mechanisms to authenticate access requests from all connected networks, including those that are locally connected. Although this is above and beyond the intent of requirement 8.3, this may improve and further secure access into the CDE.

Though adding additional authentication steps may improve the overall security of the remote access mechanisms, the improvement does not equal the improved security of a true two-factor authentication mechanism. The intent of requirement 8.3 is to ensure that two authentication identifiers are used within a single authentication request.

Lessons Learned

This is just one example of why merchants often find it challenging to understand and meet the PCI compliance requirements. When you consider that there are more than 200 line item requirements within PCI DSS 2.0, you can see why it can take months, if not years, to become PCI compliant, and why an ongoing PCI maintenance program makes sense. It's also important to understand the intent of the requirements and how they impact your environment. An experienced QSA can help you navigate the finer points of PCI compliance to address them securely and efficiently.