New Resources Issued For Payments Industry To Improve Understanding, Implementation Of MFA Guidance
Data compromise is a problem that refuses to go away. Data compromises have never been far from the news headlines in recent years and although there have been several high-profile cases, small and medium sized companies are increasingly being targeted too.
It is an issue that affects companies of all sizes and any business can fall victim to such attacks. Further, security experts are warning that the problem of compromised or stolen credentials is on the rise, and this continued threat has resulted in a need for more stringent measures to protect consumer and company data.
Recently, in response to the necessity for additional security, the PCI Security Standards Council has issued an update that introduces a new sub-requirement for the payments industry.
Because of this update, new multifactor authentication (MFA) security guidance and resources have been introduced by the PCI Security Standards Council; these resources aim to assist in data protection and to highlight what it considers to be the best practices.
As well as the statements issued on its blog, the PCI has published a PDF guide explaining in full the newly introduced update; this article aims to explain the update and the requirements more fully, however, it’s advised that organizations read the PDF through to familiarize themselves with all the details and how the changes might apply to them.
Before going to into detail about the latest guidance, this article will start with an explanation of what MFA is and how it can lower the chances of data compromise.
Rather than just asking for one form of identification such as a password, MFA makes data safer by requiring multiple layers to assist in verifying the identity of the person requesting access; these multiple layers make it more difficult for a hacker – or anyone else who shouldn’t be accessing the data – to obtain the information they are after, but only when it has been applied correctly.
Most people will already be familiar with MFA in one form or another, or they’ll at least be familiar with two-factor authentication, where a text is sent to their cell phone to confirm their identity; these measures are increasingly being used by companies to act as a deterrent to would-be hackers.
However, it’s also important to understand the difference between multi-step and multifactor authentication. Multi-step authentication is something that you’ll see in place on sites like Google, and while it does guard against hackers, it is in by no means the same as MFA.
To further explain what the PCI Security Standards Council means by multi-step authentication, they define it like this:
“If an individual submits credentials (e.g., username/password) that, once successfully validated, lead to the presentation of the second factor for validation (e.g., biometric), this would be considered “multi-step authentication.”
Multi-step authentication might not provide sufficient protection, which is why MFA is becoming a necessity.
What Does the New Update Mean?
Under the new 3.2 update, the requirements for Multi-factor authentication have changed.
As stated in the new guidance, MFA authentication has always been a requirement of the PCI Data Security Standard for, “Remote access to the cardholder data environment.” However, under the update it is stated that MFA should “Also be applied to all non-console access into the CDE for personnel with administrative access.”
These changes have been set out in a statement issued by PCI and are due to come into force next year. The Council states:
“Effective 1 February 2018UH, MFA will also be required for administrative personnel with non-console access (administered or managed over a network) to computers and systems handling cardholder data (the cardholder data environment).”
The guidance also says:
“While PCI DSS does not currently require MFA implementations to meet all the principles described in this guidance document, it may in the future, and these industry-recognized best practices provide a roadmap for future security considerations.”
The update was first announced by the PCI Security Standards Council in 2016.
Speaking at the time, PCI Security Standards Council CTO Troy Leach, said:
“A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.”
“We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data.”
The newly introduced measures apply to companies who collect payments from their customers, and also require companies to add encryption and penetration testing to help secure data.
What Are the MFA Requirements?
In its blog, the PCI Security Standards Council share the standard advice of using something you know, an object you own and/or something you are to use as part of authentication measures. The PCI Security Standards Council recommends introducing a minimum of two out of three of these steps, and for PCI DSS requirement purposes, a unique user identification is also required.
There are several options for each step, including:
- Something you know – this is usually a password. Alternatively, a passphrase, PIN number or question or answer can be used for this element.
- Something you own – this could be a smart card or token device, however, one-use passwords, employee access cards, key fobs and sim cards can also be used.
- Something you are – this could be biometrics or something similar.
Biometrics are in use by numerous companies, and retina and iris scans and facial and voice recognition are now forming a larger part in data security. As well as being used in corporations to confirm an ID, biometric are something that consumers are becoming more familiar with via their use of smartphones for mobile banking, making payments, etc. This is known as biometric payments.
And consumers are increasingly willing to accept biometrics, according to research from Visa Europe, over two thirds of European consumers were keen to use biometrics when they made a payment, and were especially comfortable using them as part of multi-factor identification. In addition, biometrics are likely to be used more often as major corporations move away from passwords.
Further steps such as geolocation and time recognition can also be added to authentic a person’s ID; geolocation is already being utilized by financial institutions, although it is not without its limitations. And it is not a requirement for MFA.
The council also offers advice for safeguarding the above information.
- It recommends that passwords shouldn’t be easy to guess or ‘brute force.’ You can find some advice on creating strong passwords here, however, make sure the method of storing/remembering passwords is in keeping with PCI guidelines.
- Physical objects such as smart and employee access cards are not to be shared and you should also make efforts to prevent them from being copied. And the PCI Security Standards Council says biometrics should be guarded against ‘unauthorized replication’ and from ‘use by others on which the data is present.’ In addition, passwords and physical objects shouldn’t be shared with ‘unauthorized parties.’
Implementing MFA Guidance
Naturally, the update has led to some questions such as who it applies to. In addition, as explained on the organization’s blog, since introducing the new update, there are some worries that MFA isn’t always being applied as it should be; this means that companies in the payments processing industry – and others who are responsible for safely storing data – might not be getting the security protection that they should be. This section aims to make the implementation guidance clear, but readers should read the PDF in full to see how it applies to them.
The new guidance sets out three principals that the PCI Security Standards Council considered as the correct implementation. In the organizations own words this includes:
“The independence of authentication measures,” and, “Ensuring that no knowledge of the success or failure of a factor is provided to the individual until all factors have been submitted.”
To gain a deeper understanding of the independence of authentication measures, there are some good examples available here, or you can refer the PCI Security Standards Council website for some further examples.
Moreover, local and regional laws/regulations also need to be taken into consideration as their guidelines for implementation of MFA may vary. For instance, the Council points out that European Union Directive on Payments Services has its own guidelines, as does the Federal Financial Institutions Examination Council IT Examination Handbook (FFIEC) which is described as ‘required reading’ for anyone who wishes to implement a risk management strategy.
Also of note is the Council’s statement on the use of SMS authentication. They say: “While the National Institute of Standards and Technology (NIST) currently permits the use of SMS, they have advised that out-of-band authentication using SMS or voice has been deprecated and may be removed from future releases of their publication.”
You can find the current NIST digital identity guidelines here.
When NIST originally made the statement, this led to a lot of media speculation that SMS two-factor authentication was going to be banned, and if this was to happen it would cause considerable upheaval for companies already using it. However, as engadget reports, this isn’t the case.
Nevertheless, there have been concerns that SMS used as a second factor authentication isn’t a secure enough step, but there is plenty that users can do to mitigate against these possible security issues.
Weak Passwords & the Growing Problem of Stolen Credentials
The measures are necessary to help protect against the rise in stolen credentials, and the need to do this becomes more obvious once the scale of the problem is explained in detail.
In 2015, the problem of stolen credentials was described as an ‘epidemic’ in an article by Identity Week. The article explained how little passwords do to protect credentials and clearly shows that passwords aren’t enough on their own, which is why measures like MFA are becoming necessary.
Another article, which was again published in 2015, estimated that the majority (95 percent) of companies had been a victim of a data breach, and the most concerning aspect of this is many organizations won’t realize they have been hacked until much later.
In addition, according to Verizon’s 2016 Data Breach Investigations Report, some of the most commonly affected companies are those in retail, hospitality and health care.
The report examined more than 2,000 data breaches and over 100,000 ‘incidents,’ which helps to highlight the sheer scale of the problem; one common issue detailed in the report remains the poor choice of passwords. The main issue with passwords is they are either too weak, or the company hasn’t changed it from the default password, making it far too easy for credentials to be stolen.
The issues caused by weak credentials were also detailed in earlier research by Verizon from 2013. Back then, it was reported that 4/5 security breaches were the result of exploited/stolen credentials, which again demonstrates how passwords on their own aren’t adequate, and weakened credentials were also being blamed for increasing levels of cybercrime.
The increased level of data breaches and the lower level of security provided by passwords might be the reason that more corporations are turning to MFA.
Research published by SecureAuth Corp shows a strong swing towards MFA, with 93 percent of firms surveyed stating they use it. In addition, 30 percent of companies will either introduce or further expand their use of MFA in 2017.
Growing concerns over data hacks have added a new level of importance to adequately protecting data, and as research confirms, it has become clear that passwords on their own do not provide enough protection.
One way to give data added security is by introducing MFA, and by reading the PCI Security Standards Council resources, organizations in effectively introduce and implement MFA as an additional security measure.
MFA helps to keep hackers from accessing data by putting in place multiple layers of authentication, and it is a security method that is now favored by numerous companies and organizations.
However, as the PCI Security Standards Council explains, MFA can only be effective when it is implemented correctly, and it needs to be implemented in accordance with its updated guidelines, and with any applicable local and regional requirements.