Concerned about the PCI DSS 4.0.1 lookback period starting in March of 2025? LEARN MORE

Multi-factor or two-factor authentication?

  • Team Omega
  • August 30, 2016

Multi-factor authenticationThe PCI Council explains, ‘the term “two-factor” was replaced with the term “multi-factor” in several requirements in PCI DSS v3.2 (Requirements 8.3, 8.3.1, 8.3.2, and 8.5.1). The intent of this change was to use more consistent terminology that accurately represents the meaning of the term. This is simply a change in naming convention and does not alter its definition, which is that at least two authentication factors are used in the authentication process.’

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

Wrong use:

  • Using one factor twice is not multi-factor.

Right use:

  • Something you know (such as a knowledge question), something you have (your password) and something you are (bio metrics).
  • This is admissible as well – something you have (your password) and proof of who you are (bio metrics through a smart phone) for proving your identification.

Multi-factor authentication:

  • Is required for any remote access to networks with access to the card data environment (CDE).
  • Is required for all remote access to an entity’s networks.
  • Is required when connecting to a CDE system from a non-CDE network.
  • Can be implemented at network level or at system/application level.

Do you need help with implementing safe practices for securing access to your network environment? Or follow policies as recommended by the payment card industry standards? Get in touch with Omega.