March 29, 2023

Binary Blogger

Are you a 1 or a 0? News, Thoughts and Reviews

PCI 3.2 Changes Put Focus on Multi-Factor Authentication Everywhere

3 min read
7 years ago Binary Blogger

PCI logoPCI is set to release an updated version of the digital security standards, DSS 2.3, which go into effect April 28, 2016. The PCI DSS 3.1 expires Oct. 31, 2016. The new 3.2 standards have several changes but the biggest ones are around the expanded use of multi-factor authentication. The PCI folks have realized it is the year 2016 and passwords alone are not secure enough as an authentication method to access.

Authentication has three methods that can be used for a user to access a system.

  • Something you know; knowledge based like a password, answer to questions, anything that is from your memory
  • Something you have; an object or token like your RSA token, a certificate, smartcard, etc…
  • Something you are; biometric, using your body as a unique key, handprint, iris scan, facial recognition, voice, etc…

When regulations and companies talk about multi-factor authentication they are referring to those factor and requiring more than one used. A username and password is only one factor, something you know. Requiring a username and password along with a token or hand scan would be multi-factor. Two or more factors used, some potentially could use all three.

The reason behind this is it takes the power and value away from a password. In a multi-factor authentication system a password is no longer the one stop access because a user would not be able to get access without the other factor as well. Generally the tokens are rotating, random and cannot be socially engineered easily (very difficult and small window to use). This is what the new PCI 3.2 put into place.

Not only does the PCI 3.2 require multi-factor, it’s where they require it that is turning heads. Instead of only requiring it on external access inward they are stating that multi-factor authentication should be implemented at every level of where access to protected PCI data is achieved. That means every user, external connection or internally from the ‘trusted’ network, now requires multi-factor authentication be in place.

Time and time again breaches are showing the world that ‘Hollywood Hackers’ are not busting through the perimeters breaking in, rather phishing or getting access to the internal credentials of valid users. Once inside you are trusted to move around, with compromised accounts there’s nothing to stop that. Now with Multi-Factor in place not only are your internal employees more secure, your supply chain of vendors now have to abide to stricter security practices. Remember, Target didn’t get breached from Target but from a supply chain air conditioner vendor that had accounts and more access than they probably should have. If multi-factor were in place the accounts would not be as useful without the second factor. You need to composite key, one piece isn’t enough.

This is a positive step toward a more secure world. Mutli-factor authentication is not a complicated process to put in place but why most companies have not implemented it across the internal networks is the same reason most security is bare minimum. Regulations, including PCI, create a checklist security mindset which does not translate to an operational practice. The other reason is internal pushback, multi-factor authentication adds a step to login. Employees’ complaints that they are being ‘inconvenienced’ goes a long way, especially when you are inside the walls.

Now PCI is stepping up and mandating this security feature which is going to change the security practice of many companies and vendors they work with. Build a checklist regulation and you will get a checklist security program. Unless you have a security practice, no technology alone will stop a breach. Your practice will.

End of line.

Please follow and like us:
fb-share-icon
Tweet
Pin Share
Tags:

More Stories

1 min read

WordPress Updates More Than a Million Sites to Fix Critical Ninja Forms Vulnerability

9 months ago Binary Blogger
1 min read

US Man Sentenced to Nine Years in Prison for Hacking iCloud Accounts and Stealing Nudes

9 months ago Binary Blogger
1 min read

Less Than Half of Organizations Have Open Source Security Policy

9 months ago Binary Blogger

You may have missed

3 min read

Blogging Thoughts That Can Be Guaranteed To Turn Out To Be Popular Topics

1 day ago Binary Blogger
3 min read

Why ChatGPT Will Not Take Over The World

1 week ago Binary Blogger
3 min read

Best Practices for NFT Security

1 month ago Binary Blogger
4 min read

How to Make the Most Out of Your Business Software

2 months ago Binary Blogger

Blog Categories

Archives

About Binary Blogger

Binary Blogger is the persona of a 20 year veteran career techie. Throughout the years I have done it all, programming, design, support but have focused on identity security as my primary area of expertise.

I am also a photographer hobbyist, writer, blogger, father, husband and an overall swell guy.

Thanks for reading.

Copyright © All rights reserved. | Newsphere by AF themes.

Enjoy this blog? Please spread the word :)

  • RSS
  • Follow by Email
  • Facebook
    Facebook
    fb-share-icon
  • Twitter
    Visit Us
    Follow Me
    Tweet
  • YOUTUBE
  • INSTAGRAM
RSS
Follow by Email
Facebook
Facebook
fb-share-icon
Twitter
Visit Us
Follow Me
Tweet
YOUTUBE
INSTAGRAM