PCI is set to release an updated version of the digital security standards, DSS 2.3, which go into effect April 28, 2016. The PCI DSS 3.1 expires Oct. 31, 2016. The new 3.2 standards have several changes but the biggest ones are around the expanded use of multi-factor authentication. The PCI folks have realized it is the year 2016 and passwords alone are not secure enough as an authentication method to access.
Authentication has three methods that can be used for a user to access a system.
- Something you know; knowledge based like a password, answer to questions, anything that is from your memory
- Something you have; an object or token like your RSA token, a certificate, smartcard, etc…
- Something you are; biometric, using your body as a unique key, handprint, iris scan, facial recognition, voice, etc…
When regulations and companies talk about multi-factor authentication they are referring to those factor and requiring more than one used. A username and password is only one factor, something you know. Requiring a username and password along with a token or hand scan would be multi-factor. Two or more factors used, some potentially could use all three.
The reason behind this is it takes the power and value away from a password. In a multi-factor authentication system a password is no longer the one stop access because a user would not be able to get access without the other factor as well. Generally the tokens are rotating, random and cannot be socially engineered easily (very difficult and small window to use). This is what the new PCI 3.2 put into place.
Not only does the PCI 3.2 require multi-factor, it’s where they require it that is turning heads. Instead of only requiring it on external access inward they are stating that multi-factor authentication should be implemented at every level of where access to protected PCI data is achieved. That means every user, external connection or internally from the ‘trusted’ network, now requires multi-factor authentication be in place.
Time and time again breaches are showing the world that ‘Hollywood Hackers’ are not busting through the perimeters breaking in, rather phishing or getting access to the internal credentials of valid users. Once inside you are trusted to move around, with compromised accounts there’s nothing to stop that. Now with Multi-Factor in place not only are your internal employees more secure, your supply chain of vendors now have to abide to stricter security practices. Remember, Target didn’t get breached from Target but from a supply chain air conditioner vendor that had accounts and more access than they probably should have. If multi-factor were in place the accounts would not be as useful without the second factor. You need to composite key, one piece isn’t enough.
This is a positive step toward a more secure world. Mutli-factor authentication is not a complicated process to put in place but why most companies have not implemented it across the internal networks is the same reason most security is bare minimum. Regulations, including PCI, create a checklist security mindset which does not translate to an operational practice. The other reason is internal pushback, multi-factor authentication adds a step to login. Employees’ complaints that they are being ‘inconvenienced’ goes a long way, especially when you are inside the walls.
Now PCI is stepping up and mandating this security feature which is going to change the security practice of many companies and vendors they work with. Build a checklist regulation and you will get a checklist security program. Unless you have a security practice, no technology alone will stop a breach. Your practice will.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.