8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.
Defined Approach Requirements
8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.
Customized Approach Objective
Cleartext authentication factors cannot be obtained, derived, or reused from the interception of communications or from stored data.
Defined Approach Testing Procedures
8.3.2.a Examine vendor documentation and system configuration settings to verify that authentication factors are rendered unreadable with strong cryptography during transmission and storage.
8.3.2.b Examine repositories of authentication factors to verify that they are unreadable during storage.
8.3.2.c Examine data transmissions to verify that authentication factors are unreadable during transmission.
Purpose
Network devices and applications have been known to transmit unencrypted, readable authentication factors (such as passwords and passphrases) across the network and/or store these values without encryption. As a result, a malicious individual can easily intercept this information during transmission using a "sniffer," or directly access unencrypted authentication factors in files where they are stored, and then use this data to gain unauthorized access.
purpose
Use MFA for all remote network access to the CDE.
compliance strategies
- VPN or remote desktop with MFA
typical policies
- Remote Access Policy
common pitfalls
- Remote access without MFA
type
Technical Control
difficulty
Moderate
key risks
- Remote compromise of CDE
recommendations
- Integrate remote access with MFA solutions
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy