Skip to main content

More information on the upcoming PCI-DSS 3.2

The PCI Council has published another blog post on the upcoming changes for PCI-DSS 3.2 especially how they relate to multi-factor authentication.

The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.

<snip>

The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.

This must be a bit controversial.  It's trivial to do this for a linux environment (using pam-radius for sudo), but it traditionally has been much harder to do this on Windows.  Until WiKID's new AD 2FA protocol (as far as I know) this meant making an alteration to the GINA, the ctrl-alt-delete mechanism.  The GINA had almost no documentation for the longest time, as if Microsoft really didn't want you working there and might change anything arbitrarily. The focus on 'protecting the perimeter' meant no one really cared, but now the Council is saying they do.  And they should as every attack requires some form of escalation in privilege.  Companies must harden the 'soft-chewy centers' of their M&M-like networks. 

I think this also means a change for security pros that mock PCI as a 'floor'.  If your environment is not doing two-factor authentication for administrators, then PCI-DSS is looking down on you.

 

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom