SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

SecurID requirements to comply with PCI-DSS 3.2

With the new requirements that take effect February 1, 2018, can anyone assist with the scope of what needs to have two factor authentication?  For example, I'm certain that those hold administrative credentials will need to use two factor authentication when initially logging on to their computer.  Is two factor auth required for every in-scope server RDP access or network device SSH session?

Labels (1)
2 Replies

PCI DSS 3.2 has changed the two-factor authentication requirement to multi-factor, clarifying that you’re not limited to only two. Additionally, this requirement no longer applies to just employees working remotely, but anyone with non-console admin access to the cardholder data environment (CDE), regardless of location.


PCI DSS 3.2 is the addition of “multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.”


This basically means that, upon implementation of PCI DSS 3.2, users must provide two or more credentials to gain access to credit card data and related systems. This means anything...RDP, SSH, VPN, direct login with keyboard and monitor...any type of access.


Users will need to expect to need to use the token a lot more often. Getting into the trusted network once is not enough. Once in, they should expect two-factor to be required for every system they access. 


   Our current QSA told us that RSA Soft-Token does not pass PCI DSS requirements and need to have the RSA hard token or RSA token generated on a separate device from corporate desktop/laptop ie, phone.  My take is that the PIN associated with unlocking the token would be considered something you know and separate from the AD login to the laptop and should pass PCI.  Have you had any experience with this situation.