8.5.1 MFA systems are implemented as follows:
Defined Approach Requirements
8.5.1 MFA systems are implemented as follows:
- The MFA system is not susceptible to replay attacks.
- MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period.
- At least two different types of authentication factors are used.
- Success of all authentication factors is required before access is granted.
Customized Approach Objective
MFA systems are resistant to attack and strictly control any administrative overrides.
Applicability Notes
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Defined Approach Testing Procedures
8.5.1.a Examine vendor system documentation to verify that the MFA system is not susceptible to replay attacks.
8.5.1.b Examine system configurations for the MFA implementation to verify it is configured in accordance with all elements specified in this requirement.
8.5.1.c Interview responsible personnel and observe processes to verify that any requests to bypass MFA are specifically documented and authorized by management on an exception basis, for a limited time period.
8.5.1.d Observe personnel logging into system components in the CDE to verify that access is granted only after all authentication factors are successful.
8.5.1.e Observe personnel connecting remotely from outside the entity's network to verify that access is granted only after all authentication factors are successful.
Purpose
Poorly configured MFA systems can be bypassed by attackers. This requirement therefore addresses configuration of MFA system(s) that provide MFA for users accessing system components in the CDE.
Definitions
Using one type of factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
A replay attack is when an attacker intercepts a valid transmission of data and then resends or redirects this communication for malicious purposes. In MFA implementations, replay attacks are typically used to gain unauthorized access by leveraging legitimate credentials.
Examples
Examples of methods to help protect against replay attacks include, but are not limited to:
- Unique session identifiers and session keys
- Timestamps
- Time-based, one-time passwords or passcodes
- Anti-replay mechanisms that detect and reject duplicated authentication attempts.
Further Information
For more information about MFA systems and features, refer to the following:
PCI SSC's Information Supplement: Multi-Factor Authentication
PCI SSC's Frequently Asked Questions (FAQs) on this topic.
purpose
Manage authentication for application and system accounts securely.
compliance strategies
- Service account management
- Application credential vaulting
typical policies
- Service Account Policy
common pitfalls
- Hardcoded credentials
- Shared service accounts
type
Technical Control
difficulty
High
key risks
- Application compromise
recommendations
- Use secrets management solutions (HashiCorp Vault, CyberArk)
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy