8.3 Strong authentication for users and administrators is established and managed.
This requirement focuses on establishing and managing strong authentication methods for all users and administrators to ensure secure access to system components, including the implementation of proper password policies, multi-factor authentication, and secure credential management.
Sub-requirements:
- 8.3.1 All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
- 8.3.10.1 Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access (i.e., in any single-factor authentication implementation) then either:
- 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.
- 8.3.3 User identity is verified before modifying any authentication factor.
- 8.3.4 Invalid authentication attempts are limited by:
- 8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows:
- 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
- 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.
- 8.3.8 Authentication policies and procedures are documented and communicated to all users including:
- 8.3.9 If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
- 8.3.10 Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.e., in any single-factor authentication implementation), then guidance is provided to customer users including:
- 8.3.11 Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used:
8.3. Multi-factor authentication (MFA) is implemented for all access into the CDE.
Ensure MFA is used for all remote and non-console administrative access to the cardholder data environment.
Key Risks
Frequently Asked Questions
What is multi-factor authentication (MFA)?
MFA requires two or more independent authentication factors, such as something you know (password), something you have (token), or something you are (biometric).
Where is MFA required?
For all remote access to the CDE, non-console administrative access, and remote access by third parties.
Can MFA be bypassed?
MFA systems must be implemented securely and not be susceptible to bypass or replay attacks.
What are common mistakes with MFA implementation?
Partial coverage, insecure MFA channels, or using weak authentication factors.
How should MFA be managed and monitored?
Through centralized management, regular testing, and monitoring for any attempted bypasses.
Common QSA Questions
Can you show evidence of MFA enforcement for all required access points?
Yes, we have logs and system configurations demonstrating MFA is enforced for all remote and admin access.
How do you ensure MFA cannot be bypassed?
We use secure MFA solutions, monitor for anomalies, and regularly test for bypass vulnerabilities.
What happens if a user cannot complete MFA?
Access is denied until successful authentication with all required factors.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy