8.4.2 MFA is implemented for all non-console access into the CDE.

Defined Approach Requirements

8.4.2 MFA is implemented for all non-console access into the CDE.

Customized Approach Objective

Access into the CDE cannot be obtained by the use of a single authentication factor.

Applicability Notes

This requirement does not apply to:

• Application or system accounts performing automated functions.
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
• User accounts that are only authenticated with phishing-resistant authentication factors.

MFA is required for both types of access specified in Requirements 8.4.2 and 8.4.3. Therefore, applying MFA to one type of access does not replace the need to apply another instance of MFA to the other type of access. If an individual first connects to the entity's network via remote access, and then later initiates a connection into the CDE from within the network, per this requirement the individual would authenticate using MFA twice, once when connecting via remote access to the entity's network and once when connecting from the entity's network into the CDE.

The MFA requirements apply for all types of system components, including cloud, hosted systems, and on-premises applications, network security devices, workstations, servers, and endpoints, and includes access directly to an entity's networks or systems as well as web-based access to an application or function.

MFA for access into the CDE can be implemented at the network or system/application level; it does not have to be applied at both levels. For example, if MFA is used when a user connects to the CDE network, it does not have to be used when the user logs into each system or application within the CDE.

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

8.4.2.a Examine network and/or system configurations to verify MFA is implemented for all non-console access into the CDE.

8.4.2.b Observe personnel logging in to the CDE and examine evidence to verify that MFA is required.

Purpose

Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors. This is especially true in environments where traditionally the single authentication factor employed was something a user knows such as a password or passphrase.

Definitions

Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.

Refer to Appendix G for the definition of "phishing resistant authentication."