How to Address New MFA Requirements in Payment Card Industry Data Security Standard 3.2
May 6, 2016 | Regulations, Audit & Compliance | Jessica Stanford
If you have any lingering doubt about the significant role privileged accounts play in advanced cyber attacks, consider the fact that yet another security authority updated requirements to expand the security controls prescribed for privileged accounts. Last week, the PCI Security Standards Council released version 3.2 of their Payment Card Industry Data Security Standard (PCI DSS). One of the key changes in PCI 3.2 is the additional requirement of multi-factor authentication (MFA) for administrators accessing the cardholder data environment (CDE).
PCI DSS is a global standard focused on protecting cardholder data. Extending the standard to require multi-factor authentication for privileged users who are responsible for securing, managing and accessing the databases, servers and applications that contain sensitive cardholder data is a good move.
It’s no secret that attackers seek privileged accounts in order to gain access to sensitive, confidential information. This is how they successfully accomplish their mission. We’ve seen many regulations and standards add and expand controls that require organizations to protect access to privileged accounts, secure and monitor usage of these sensitive accounts and identify suspicious privileged activity.
After reviewing the full text of the updated PCI DSS requirement 8.3 “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication,” it’s clear that the PCI Security Standards Council has outlined two options for organizations to meet this requirement. The first option is to enforce MFA at the point of access to the CDE. The second option is to enforce MFA at every individual system and application within the CDE.
Rolling out MFA across every individual system and application can be challenging – deploying, integrating and managing that architecture would be time-consuming, and most likely, headache-inducing. The easier and more secure method is to enforce MFA at the point of access to the CDE. This is exactly what CyberArk has been doing for years to help organizations secure privileged access to sensitive data.
By implementing MFA at the network level, it’s not only easier to deploy and manage, but organizations also get additional security benefits. With a single point of entry for all privileged access to the CDE, organizations can control, isolate and monitor all administrative sessions. This is particularly important for remote users and third-party vendors accessing cardholder data environments – PCI 3.2 specifies that MFA is required for both internal and third-party access.
With this approach, CyberArk can help organizations to address the latest requirements in PCI 3.2 by enforcing MFA for administrators when they access the CyberArk solution. Through the CyberArk C3 Alliance, CyberArk has developed a number of out-of-the-box integrations to support a range of multi-factor authentication methods.
Read more about how CyberArk solutions help organizations address PCI standards here.