PCI DSS 4.0.1
Browse PCI DSS 4.0.1
8.1 8.2 8.3 8.4 8.5 8.6
8.5: 1. MFA systems are implemented as follows: (a) The MFA system is not susceptible to replay attacks, (b) MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period, (c) At least two different types of authentication factors are used, (d) Success of all authentication factors is required before access is granted.
  • Examine vendor system documentation to verify that the MFA system is not susceptible to replay attacks.
  • Examine system configurations for the MFA implementation to verify it is configured in accordance with all elements specified in this requirement.
  • Interview responsible personnel and observe processes to verify that any requests to bypass MFA are specifically documented and authorized by management on an exception basis, for a limited time period.
  • Observe personnel logging into system components in the CDE to verify that access is granted only after all authentication factors are successful.
  • Observe personnel connecting remotely from outside the entity’s network to verify that access is granted only after all authentication factors are successful.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Poorly configured MFA systems can be bypassed by attackers. This requirement therefore addresses configuration of MFA system(s) that provide MFA for users accessing system components in the CDE.

Definitions

Using one type of factor twice (for example, using two separate passwords) is not considered multi- factor authentication.

A replay attack is when an attacker intercepts a valid transmission of data and then resends or redirects this communication for malicious purposes. In MFA implementations, replay attacks are typically used to gain unauthorized access by leveraging legitimate credentials.

Examples

Examples of methods to help protect against replay attacks include, but are not limited to:

• Unique session identifiers and session keys

• Timestamps

• Time-based, one-time passwords or passcodes

• Anti-replay mechanisms that detect and reject duplicated authentication attempts.#### Further Information For more information about MFA systems and features, refer to the following:

PCI SSC’s Information Supplement: Multi-Factor Authentication

PCI SSC’s Frequently Asked Questions (FAQs) on this topic.