The Payment Card Industry Security Standards Council recently updated their Data Security Standard (PCI DSS) for protecting payment card data. The latest version, PCI DSS 4.0, introduces more than 60 new or updated requirements, with new directives around passwords and multi-factor authentication (MFA) among the most consequential.
First introduced in 2004, the PCI DSS guidelines apply to any organization that stores, processes or transmits cardholder data. To demonstrate PCI DSS compliance, organizations undergo assessment on all systems that interact with the cardholder environment.
In March 2022, the Council announced PCI DSS version 4.0, providing guidelines that aim to better secure account holder and payment card data within today’s evolving cyberthreat landscape. Organizations are required to implement PCI DSS 4.0 guidelines in two phases. The first phase deadline was March 31, 2024 and included 13 new mandatory requirements. The next deadline is March 31, 2025, at which time another 51 new requirements, which were only recommendations in the first phase, become mandatory.
While version 4.0 contains updates across the board, some of the most significant relate to strong authentication requirements, specifically password usage and multi-factor authentication (MFA). Weak forms of authentication leave organizations and data vulnerable to brute force attacks, credential phishing and multiple other password-related attacks. Understanding these new requirements is key for PCI DSS compliance. We look at five critical areas as well as their potential impact for your business.
One of the most significant updates in PCI DSS version 4 involves stricter specifications regarding passwords. Key PCI DSS 4.0 password requirements (sections 8.3.4-8.3.9) include:
Longer passwords are more onerous for users and are more likely to be written down or insecurely saved in files on a device. Forced updates also tend to trigger unsafe user behaviors as people often make only minor changes that hackers are likely to guess. Moreover, all these requirements are likely to result in higher help desk calls. Recent research from Forrester and HYPR shows that the average help desk call costs organizations $42.50/call.
Under PCI DSS 3.2.1 guidelines, MFA was required only for administrators accessing the cardholder data environment (CDE). Under the new PCI DSS MFA rules (8.4.2), all access to the CDE must be gated by multi-factor authentication. The MFA requirements apply for all types of system components, including cloud, hosted systems, and on-premises applications, network security devices, workstations, servers and endpoints.
Multi-factor authentication is defined as using two independent factors from the categories:
In its guidance on authentication factors, Version 4.0 specifically says to look at FIDO (Fast IDentity Online) for the use of tokens, smart cards, or biometrics as authentication factors. While it stops short of requiring FIDO-based factors, some of its other guidance, as you will see below, points to a clear preference.
The new regulations make clear that multi-factor authentication must be used every time the CDE is accessed, even if a user already used MFA to authenticate into the network under the remote access requirements (see below). This will add significant friction for workers, with potential consequences for both productivity and employee satisfaction. Moreover, most organizations, even if they already use some form of MFA, do not have the correct technology or systems to address the requirement for MFA for desktops, workstations and servers.
Previously, MFA was required for remote access to the cardholder data environment. With this updated PCI DSS MFA guidance, anyone logging in from outside your secured network perimeter, even if they are not actually accessing the CDE, must use multi-factor authentication. This includes all employees, both users and administrators, and all third parties and vendors. This also means that any web-based access must use MFA, even if used by employees on site.
Effectively this means that all of your workforce that are remote, hybrid or have supporting roles outside the organization must use MFA at all times. It also means that any employee using a web-based application to access your networks and systems must use MFA, even if they are on site. In addition to the cost and IT burden of implementing MFA, cumbersome MFA procedures can negatively impact both employee productivity and satisfaction.
The new standard doesn’t just cover who must use MFA and when, it also introduces guidelines on how MFA systems must be configured to prevent misuse. Many traditional MFA solutions are susceptible to man-in-the-middle, push bombing and other attacks that bypass MFA controls. Requirement 8.5 specifies weaknesses and misconfigurations to assess for PCI compliance. These include:
As discussed earlier, the PCI DSS guidance on types of authentication factors makes reference to FIDO-based authentication. FIDO authentication is phishing-resistant, eliminates replay attacks and, depending on the FIDO solution, is inherently multi-factor.
If your MFA solution uses SMS, OTPs or other insecure methods, it may not meet PCI compliance requirements.
While earlier versions of PCI DSS required the use of strong cryptographic protocols to protect transactions and cardholder data, PCI DSS 4.0 extends the cryptographic requirement. With the new rules, any stored sensitive authentication data (SAD) must be encrypted using strong cryptography.
If your authentication system doesn’t properly encrypt and securely store authentication data, then it may not meet PCI compliance requirements.
It's worthwhile to call out another critical provision of PCI DSS, which though not new, is receiving renewed attention. Section 8.3.3 (previously section 8.2.2) mandates that the user identity is verified before modifying any authentication factor. This is intended to prevent social engineering attacks that target the credential reset / account recovery process.
How identity verification can stop help desk social engineering
The new PCI DSS framework now aligns much more closely with the NIST SP 800-63B Digital Identity Guidelines, guidance from CISA and the OMB, and other regulatory agencies that urge the adoption of FIDO-based phishing-resistant MFA and a Zero Trust authentication approach.
HYPR helps organizations comply with PCI DSS MFA requirements as well as multiple other provisions included in the standard. HYPR replaces the traditional password-based approach with secure passwordless authentication that is certified by FIDO and based on passkeys. Core elements of the solution, such as the incorporation of biometric authentication, possession of a trusted device, and cryptographic tokens securely stored on the device TPM or secure enclave, ensure strong, phishing-resistant multi-factor authentication that meets PCI DSS requirements. HYPR also provides secure self-service methods to verify identity for account recovery.
At the same time, HYPR greatly improves the user experience, eliminating the need for long, complex passwords and streamlining multi-factor authentication to a single user gesture.
To learn how HYPR can help your organization meet PCI DSS 4.0 requirements, contact one of our compliance experts.
1. What is PCI DSS 4.0, and why was it introduced?
PCI DSS 4.0 is an updated version of the Payment Card Industry Data Security Standard, announced in March 2022. It aims to enhance the security of cardholder data in response to the evolving cyberthreat landscape. It introduces new requirements, especially in areas such as strong authentication and multi-factor authentication (MFA), to better protect sensitive payment information.
2. What are the key changes in password requirements under PCI DSS 4.0?
Under PCI DSS 4.0, passwords must be at least 12 characters long and include a mix of special characters, uppercase, and lowercase letters. Passwords need to be reset every 90 days unless continuous, risk-based authentication is implemented. Additionally, accounts are locked after 10 unsuccessful login attempts, requiring identity verification for re-entry.
3. How does PCI DSS 4.0 impact multi-factor authentication (MFA) requirements?
PCI DSS 4.0 mandates MFA for all access to the cardholder data environment (CDE), not just administrators. This includes cloud, on-premises, and network components. MFA is also required for any remote access, even if employees are on-site but using web-based systems. The MFA system must be configured to resist attacks such as man-in-the-middle attacks and replay attacks.
4. What is the deadline for implementing PCI DSS 4.0 requirements?
The PCI DSS 4.0 guidelines are being rolled out in two phases. The first deadline, March 31, 2024, included 13 new mandatory requirements. The second phase, with an additional 51 requirements, must be fully implemented by March 31, 2025.
Editor's Note: This blog was originally published August 2023 and has been updated to reflect current timelines and provide additional information.