8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE.

This requirement focuses on implementing multi-factor authentication (MFA) to secure access to the cardholder data environment (CDE), ensuring that administrative access and other critical access points require multiple authentication factors for enhanced security.

Sub-requirements:

8.4.1 MFA is implemented for all non-console access into the CDE for personnel with administrative access.
8.4.2 MFA is implemented for all non-console access into the CDE.
8.4.3 MFA is implemented for all remote access originating from outside the entity's network that could access or impact the CDE.

8.4. Authentication factors are protected against unauthorized disclosure and replay.

Ensure all authentication factors (passwords, tokens, biometrics) are securely managed and protected from interception or misuse.

https://WithPCI.com

Sub-requirements

Test Points

Moderate (3.0)

Implementation Difficulty

Control Types

Technical

Technical: 3

Key Risks

Credential interception

Password reuse or weak factors

Replay attacks

Frequently Asked Questions

How are authentication factors protected?

By encrypting credentials in transit, enforcing strong password policies, and preventing reuse of authentication codes.

Can authentication factors be transmitted in clear text?

No, all authentication factors must be protected using strong cryptography.

What is a replay attack?

A replay attack is when an attacker intercepts and reuses authentication data to gain unauthorized access.

How can replay attacks be prevented?

By using one-time passwords, time-based tokens, and secure transmission protocols.

Why is it important to separate user IDs and authentication factors?

To prevent easy guessing and to enforce strong authentication practices.

Common QSA Questions

Can you show how authentication factors are protected in your systems?

Yes, we use encryption for all authentication traffic and enforce strong password and token management policies.

How do you prevent replay attacks?

We use time-based or one-time authentication codes and monitor for suspicious login attempts.

How do you ensure authentication factors are not reused or predictable?

Our policies prohibit reuse and require complexity for all authentication factors.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.