This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
ScottBuckley
Beginner
Beginner
‎2017-12-06 02:10 PM

SecurID requirements to comply with PCI-DSS 3.2

With the new requirements that take effect February 1, 2018, can anyone assist with the scope of what needs to have two factor authentication?  For example, I'm certain that those hold administrative credentials will need to use two factor authentication when initially logging on to their computer.  Is two factor auth required for every in-scope server RDP access or network device SSH session?

Labels (1)
Labels
0 Likes
Reply
2 Replies
EdwardDavis
Employee
Employee
‎2017-12-06 02:56 PM

PCI DSS 3.2 has changed the two-factor authentication requirement to multi-factor, clarifying that you’re not limited to only two. Additionally, this requirement no longer applies to just employees working remotely, but anyone with non-console admin access to the cardholder data environment (CDE), regardless of location.

 

PCI DSS 3.2 is the addition of “multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.”

 

This basically means that, upon implementation of PCI DSS 3.2, users must provide two or more credentials to gain access to credit card data and related systems. This means anything...RDP, SSH, VPN, direct login with keyboard and monitor...any type of access.

 

Users will need to expect to need to use the token a lot more often. Getting into the trusted network once is not enough. Once in, they should expect two-factor to be required for every system they access. 

Reply
Rod
New Contributor
New Contributor
In response to EdwardDavis
‎2023-01-17 09:51 AM

Hello, 

   Our current QSA told us that RSA Soft-Token does not pass PCI DSS requirements and need to have the RSA hard token or RSA token generated on a separate device from corporate desktop/laptop ie, phone.  My take is that the PIN associated with unlocking the token would be considered something you know and separate from the AD login to the laptop and should pass PCI.  Have you had any experience with this situation.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.