Skip to main content

PCI DSS 3.2 will likely require two-factor authentication for administrators

Any day now, we expect the PCI Council to release PCI DSS 3.2.  According to PCI Security Standards Council Chief Technology Officer Troy Leach:

When making changes to the standard, in addition to market feedback, we look closely at the threat landscape, and specifically what we are seeing in breach forensics reports as the trending attacks causing compromises. With this in mind, for 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE).

It seems as though the PCI Council has been reading the Verizon DBIR. 

Luckily, WiKID has just released an Active Directory protocol providing native two-factor authentication for Windows environments and servers.  This feature will allow windows administrators to login using a WiKID one-time passcode.  The OTP is pushed as the new password to AD and then over-writen on expiry.  It is quite simple to setup as well.

Payment processors and merchants face a difficult challenge.  Much of their infrastructure is dispersed and in less-than-optimal environments.  It needs to be available to non-employees and thus is open to physical attack. Locking down administrative accounts makes a great deal of sense.  Preventing attackers from escalating their privilege via attacks like pass-the-hash and forcing their presence out in the open is critical. 

UPDATE:  We have published a tutorial on requiring 2FA for admins on both Linux (Centos/RHEL/Ubuntu) and Windows.

Current rating: 2.8

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom