In April 2016, the new PCI DSS 3.2 version was adopted. Some of the changes introduced in this version become effective on the February 1st, 2018. These are changes in employee authentication upon access to bank information systems. In particular, starting from February 1st, 2018, multi-factor authentication becomes mandatory for a number of access scenarios.

The PCI DSS defines the following factors or methods of user authentication:

  • Something that you know;
  • Something that you have;
  • Something that you possess.

Here are some examples of the mentioned factors, that are the most frequently used in practice of multi-factor authentication.

Something that you know

  • USB key or smart card PIN code. PIN is stored in device memory only and is used to access the protected data area of a smart card or USB key to perform various cryptographic operations, including the authentication ones.
  • Answer to security question. As a rule, this method is used as redundant for access recovery. For security reasons, it is recommended to require correct answers for several questions.
  • Classic conventionally constant password.

Something that you have

  • USB key or smart card. Such devices have private key stored on them to perform asymmetric cryptography operations, and also other key data
  • OTP-key - one-time password (OTP) generator. OTP hardware generation device. The most commonly used standard of one-time password generation are OATH TOTP and HOTP algorithms. There also are proprietary OTP generation algorithms (RSA, for example)
  • User smartphone. A user smartphone can be used as: (a) mobile application for OTP generation; (b) device to receive OTP via SMS; (c) mobile application for out of band authentication using push notifications
  • Proximity card (RFID). Such cards can be used both for logical access to information systems and for physical access to company premises

Something that you possess (something that you are)

This category holds all the technologies based on the biometric data.

  • Currently, the most widely spread biometric authentication method is fingerprint verification. Today, this technology has one of the best quality-price balances among the biometric technologies.
  • Vein pattern This technology uses hand or finger vein pattern to create a biometric template. The advantages of the technology are high recognition accuracy and hygienic cleanness, as vein pattern recognition is performed at distance, with no direct contact between palm or finger and scanner.
  • Photo (2D face image). This technology is one of the cheapest biometric authentication methods, as it does not require usage of special devices. A disadvantage of the technology is that recognition accuracy is dependent on the room illumination.
  • 2D and 3D face image. For authentication with 2D and 3D face image, Intel RealSense™ technology is used. This allows for obtaining of highly accurate face image (in IR band as well) and thus for higher authentication accuracy.
  • Voice biometrics. As is the case with face photo image, voice biometrics is also one of the cheapest authentication methods. The technology advantage is the opportunity to use phone calls for authentication. The drawbacks are relatively low recognition accuracy and limited number of usage scenarios.

It should be noted that the standard requires combined use of at least two different authentication factors. In other words, use of two passwords or two fingerprints is not multi-factor authentication. The most frequent practical combinations of various authentication factors are listed below:

  • Smart card (with private key and certificate) + PIN code
  • Constant password + one-time password
  • Proximity card + constant password
  • Proximity card + fingerprint verification
  • Fingerprint verification + constant password
  • Smartphone application (push notification) + constant password
  • Smartphone application (push notification) + fingerprint verification

The Indeed Identity products allow for implementation of all the mentioned authentication factor combinations and also support the opportunity of authentication scenario list expansion upon request. The following products are used to build the multi-factor authentication system:

Indeed Certificate Manager

Centralized lifecycle management system of smart cards, USB tokens and digital certificates. Indeed Certificate Manager (Indeed CM) makes it possible to reduce the PKI infrastructure usage expenses and increase its efficiency by applying a centralized smart card and certificate usage policy, routine automation and user self-service.

Indeed Access Manager

Indeed Access Manager (Indeed AM) is the universal authentication system, designed to implement the strong and/or multi-factor authentication in any enterprise systems: OS, web- and mobile applications, VPN, VDI, SAML-compatible applications etc. Enterprise Single Sign-On technology is also supported.

The following are comments on implementation of certain requirements of PCI DSS 3.2 to authentication using the Indeed Identity software.

PCI DSS 3.2 requirementComments

8.1.3 Immediately revoke access for any terminated users.

8.1.3.b Verify all physical authentication methods—such as, smart cards, tokens, etc.—have been returned or deactivated.

The Indeed Certificate Manager contains the service for monitoring of account statuses of smart card and certificate users. When an account is deactivated, the service automatically revokes the user’s digital certificates. This allows for timely prevention of dismissed employee’s card and certificate usage. The Indeed CM also stores the information about the cards and USB tokens assigned to the user to control the devices’ application.

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.

8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.

The Indeed CM uses centralized management of PIN code policies. This allows for unified settings to be applied for all smart cards, including the number of logon attempts until smart card is locked.

The Indeed Access Manager also allows for centralized definition of authentication method locking upon exceeding the defined number of logon attempts.

8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:

  • Something you know, such as a password or passphrase
  • Something you have, such as a token device or smart card
  • Something you are, such as a biometric.

Indeed Certificate Manager and Indeed Access Manager allow to use all the mentioned authentication methods. At that, depending on the environment, different authentication variants may be available to employee (for example, smart card + PIN code for OS logon and password + OTP for VPN access).

8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.

The Indeed СМ supports the redundant authentication technology that uses security questions to perform smart card unlocking operations. This allows to meet the requirement when performing operations with smart card PIN code.

8.2.3 Passwords/passphrases must meet the following:

  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters.

Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above.

The Indeed CM utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to PIN code complexity.

8.2.4 Change user passwords/passphrases at least once every 90 days.

The Indeed CM utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to PIN code validity terms.

8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used

The Indeed CM utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to PIN code history.

8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use

The Indeed CM utilizes centralized management of PIN code policies. This allows for applying unified settings to all the smart cards, including the requirements to generation of random PIN codes and mandatory change of PIN code upon the first logon.

8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication

The requirement can be met either using PKI (public key infrastructure) or without it. Combination of technologies is also possible. For example, like this: 
- Smart cards and digital certificates are used for authentication in local operation mode (OS and applications); 
- One-time passwords are used for remote access (e.g., for VPN authentication). 
The choice of technologies is conditioned by the hardware and software used. Besides, the choice of technology can be dependent of the user role and privileges (e.g., employees can use certificates, and third parties - SMS only). The Indeed CM and Indeed AM software allow for implementation of any authentication scenario, not dependent on certain technologies.