Five Things To Know About PCI DSS 4.0 Authentication Requirements


The Payment Card Industry Security Standards Council recently updated their Data Security Standard (PCI DSS) for protecting payment card data. The latest version, PCI DSS 4.0, introduces more than 60 new or updated requirements, with new directives around passwords and multi-factor authentication (MFA) among the most consequential.

What is PCI DSS 4.0?

First introduced in 2004, the PCI DSS guidelines apply to any organization that stores, processes or transmits cardholder data. To demonstrate PCI DSS compliance, organizations undergo assessment on all systems that interact with the cardholder environment.

In March 2022, the Council announced PCI DSS version 4.0, providing guidelines that aim to better secure account holder and payment card data within today’s evolving cyberthreat landscape. The current reigning version, PCI DSS 3.2.1, will be officially deprecated in March 2024, and organizations will be required to implement the PCI DSS 4.0 guidelines in a phased manner over twelve months.

While version 4.0 contains updates across the board, some of the most significant relate to strong authentication requirements, specifically password usage and multi-factor authentication (MFA). Weak forms of authentication leave organizations and data vulnerable to brute force attacks, credential phishing and multiple other password-related attacks. Understanding these new requirements is key for PCI DSS compliance. We look at five critical areas as well as their potential impact for your business.

1. PCI DSS 4.0 Password Requirements

One of the biggest changes in PCI DSS version 4 is the very strict specifications regarding passwords. PCI DSS 4.0 password requirements (sections 8.3.4-8.3.9) include: 

  • Passwords must be long and complex: Under PCI DSS 4.0 requirements, passwords must be a minimum of 12 characters 
  • Passwords must be reset every 90 days and cannot be reused: An exception is made if continuous, risk-based authentication is used, where the security posture of accounts is dynamically analyzed, and real-time access automatically determined accordingly.
  • Login attempts should be limited: According to PCI DSS 4.0 password requirements, after a maximum of 10 unsuccessful login attempts, users should be locked out for at least 30 minutes or until they verify their identity through the help desk or other means.

Potential impact of the PCI DSS 4.0 password requirements

Longer passwords are more onerous for users and are more likely to be written down or insecurely saved in files on a device. Forced updates also tend to trigger unsafe user behaviors as people often make only minor changes that hackers are likely to guess. Moreover, all these requirements are likely to result in higher help desk calls. Recent research from Forrester and HYPR shows that the average help desk call costs organizations $42.50/call.

2. MFA Required for All Access to the CDE

Under PCI DSS 3.2.1 guidelines, MFA was required only for administrators accessing the cardholder data environment (CDE). Under the new PCI DSS MFA rules (8.4.2), all access to the CDE must be gated by multi-factor authentication. The MFA requirements apply for all types of system components, including cloud, hosted systems, and on-premises applications, network security devices, workstations, servers and endpoints.

Multi-factor authentication is defined as using two independent factors from the categories:

  • Something you know, such as a password or passphrase. 
  • Something you have, such as a token device or smart card. 
  •  Something you are, such as a biometric element 

In its guidance on authentication factors, Version 4.0 specifically says to look at FIDO (Fast IDentity Online) for the use of  tokens, smart cards, or biometrics as authentication factors. While it stops short of requiring FIDO-based factors, some of its other guidance, as you will see below, points to a clear preference.

Potential impact

The new regulations make clear that multi-factor authentication must be used every time the CDE is accessed, even if a user already used MFA to authenticate into the network under the remote access requirements (see below). This will add significant friction for workers, with potential consequences for both productivity and employee satisfaction. Moreover, most organizations, even if they already use some form of MFA, do not have the correct technology or systems to address the requirement for MFA for desktops, workstations and servers.

3. PCI DSS Now Requires MFA for All Remote Access

Previously, MFA was required for remote access to the cardholder data environment. With this updated PCI DSS MFA guidance, anyone logging in from outside your secured network perimeter, even if they are not actually accessing the CDE, must use multi-factor authentication. This includes all employees, both users and administrators, and all third parties and vendors. This also means that any web-based access must use MFA, even if used by employees on site.

Potential impact

Effectively this means that all of your workforce that are remote, hybrid or have supporting roles outside the organization must use MFA at all times. It also means that any employee using a web-based application to access your networks and systems must use MFA, even if they are on site. In addition to the cost and IT burden of implementing MFA, cumbersome MFA procedures can negatively impact both employee productivity and satisfaction.   

4. PCI DSS MFA Configuration Requirements

The new standard doesn’t just cover who must use MFA and when, it also introduces guidelines on how MFA systems must be configured to prevent misuse. Many traditional MFA solutions are susceptible to man-in-the-middle, push bombing and other attacks that bypass MFA controls. Requirement 8.5 specifies weaknesses and misconfigurations to assess for PCI compliance. These include: 

  • Your MFA system must not be susceptible to replay (aka man-in-the-middle) attacks.
  • MFA must not be able to be bypassed unless a specific exception is documented and authorized by management
  • Your MFA solution must use two different and independent factors for authentication
  • Access cannot be granted until all authentication factors are successful

As discussed earlier, the PCI DSS guidance on types of authentication factors makes reference to FIDO-based authentication. FIDO authentication is phishing-resistant, eliminates replay attacks and, depending on the FIDO solution, is inherently multi-factor.

Potential impact

If your MFA solution uses SMS, OTPs or other insecure methods, it may not meet PCI compliance requirements.

5. Strong Cryptographic Protocols

While earlier versions of PCI DSS required the use of strong cryptographic protocols to protect transactions and cardholder data, PCI DSS 4.0 extends the cryptographic requirement. With the new rules, any stored sensitive authentication data (SAD) must be encrypted using strong cryptography. 

Potential impact

If your authentication system doesn’t properly encrypt and securely store authentication data, then it may not meet PCI compliance requirements.

Meet PCI DSS 4.0 Compliance With HYPR

The new PCI DSS framework now aligns much more closely with the NIST SP 800-63B Digital Identity Guidelines, guidance from CISA and the OMB, and other regulatory agencies that urge the adoption of FIDO-based phishing-resistant MFA and a Zero Trust authentication approach.

HYPR helps organizations comply with PCI DSS MFA requirements as well as multiple other provisions included in the standard. HYPR replaces the traditional password-based approach with secure passwordless authentication that is certified by FIDO and based on passkeys. Core elements of the solution, such as the incorporation of biometric authentication, possession of a trusted device, and cryptographic tokens securely stored on the device TPM or secure enclave, ensure strong, phishing-resistant multi-factor authentication that meets PCI DSS requirements.

 At the same time, HYPR greatly improves the user experience, eliminating the need for long, complex passwords and streamlining multi-factor authentication to a single user gesture. 

To learn how HYPR can help your organization meet PCI DSS 4.0 requirements, contact one of our compliance experts.

New call-to-action

Related Content