(Feb 1, 2018 – SecurEnvoy) As of today, anyone responsible for treating or handing personal card data will be subject to even more stringent security requirements to meet the latest PCI-DSS guidance.
Whist there’s some understandable annoyance at the administrative burden, SecurEnvoy believe with the numbers of cards still being exposed in breaches, it’s time some of the existing loopholes are closed off for good.
Why? Because PCI-DSS 3.2 recognises that compliance needs to be applied more broadly and consistently across the whole business: Breaches can – and do – come from all areas of an organisation, not always from the most obvious place.
Attackers don’t need direct systems access, or access via a console when there are broader weaknesses allowing side access.
Many of these gaps can be closed through appropriate implementation of Multifactor Authentication (MFA). With the new regulations, personnel at a broad range of access levels will need MFA- secured authorisation to work with credit card data – including:
- All personnel with non-console based access to the data (for example, customer support staff who may need access to deal with billing enquiries)
- Personnel with remote access to the data environment, from within a trusted internal or external network (e.g VPN, web access, etc) will all need to authenticate via MFA.
- Personnel with direct administrative responsibility for data
- Personnel with physical access to devices on which data is held (e.g servers and databases).
These changes potentially pose additional challenges to system admins. How SecurEnvoy can help.
Firstly, it’s likely that companies will need to manage multiple users – and groups of users with differing levels of authentication requirements and keep those requirements regularly updated.
Secondly, to demonstrate compliance, regular reporting is required to demonstrate how access is obtained, by whom and via what authentication type.
I say potentially, because with the right choice of MFA solution, these needn’t be the challenge they may seem. SecurEnvoy’s industry leading MFA tool, SecurAccess, enables creation and remote management of user groups, enabling you to add, remove and update group members on-the-fly and with minimal fuss. Plus, with the fully redesigned, intuitive UI of SecurAccess V9, regular and ad-hoc reporting can be managed with the click of a button.
Acceptable MFA factors – for PCI and in SecurEnvoy’s eyes for any other use, are:
- Something only you know
- Something only you have (mobile device)
- Something only you are (fingerprint, ocular scan, face scan)
While some providers will allow other factors to be used — such as geolocation, time of day or IP address —these count towards the two-factor minimum and should not be treated as an additional security level of any value.
Not all MFA is created equal – making the right choice now can save hours of admin and thousands in potential penalties.
The best providers ensure users and admins are able to gain access to the information they need quickly, securely and with authorisation types to suit all environments and preferences. And that’s what SecurEnvoy has been delivering since we invented tokenless two-factor authentication a decade ago.
The deadline for compliance has now come and gone. If you still need to understand more about your obligations under PCI-DSS 3.2, and how SecurAccess can help you get compliant quickly and with minimal administrative burden, contact us.