It seems like every year there is a major retail security breach that impacts thousands of consumers. In 2018 alone, we have already seen Panera, Lord & Taylor, Saks Fifth Avenue, Under Armor, Sears, Kmart, and many other retailers experience security breaches that were caused by flawed payment systems either online or in stores. The Identity Theft Resource Center reported 1,093 breaches in 2016, and credit card information accounted for 13.1 percent of those exposed records during that time.
As the scope of these threats start to grow, the retail industry must adhere to PCI DSS rules. The Payment Card Industry Security Standards Council (PCI SSC) is a global organization that maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data worldwide.
As of January 2018, the PCI DSS 3.2 framework multi-factor authentication (MFA) deadlines went into effect. This new tier of compliance adds another level of MFA security. These requirements must be applied to all parties with out of network access into the cardholder data environment.
The PCI SSC issued an information supplement on multi-factor authentication to educate organizations on how to best implement the new guidelines.
What is Multi-Factor Authentication?
Multi-factor authentication is a method of confirming a user’s claimed identity and helps prevent someone from pretending to be a valid user. MFA adds a second level of security to the user name and password, or single-factor authentication. PCI DSS Requirement 8.2 requires at least two of the three authentication methods below are in place:
- Something you know: This could be a password or phrase, a PIN, or answers to security questions. The user must be able to correctly verify this information.
- Something you have: These are physical possessions such as a token device, smart card, key fob or smartphone.
- Something you are: This method involves verification of characteristics that are unique to the individual. Examples include fingerprints, retina scans, facial recognition, voice recognition, etc.
Multi-Factor Authentication Best Practices
When it comes to implementing MFA in the retail industry, here are some best practices for a seamless experience.
- Implement it everywhere: MFA is most effective when it is applied across the board. This means in a company’s cloud applications, on-prem applications, services, resources, etc.
- Use MFA in addition to Single Sign-on: Increase security by implementing MFA in addition to single sign-on because it will eliminate the need for multiple passwords
- Test and monitor frequently: Your MFA policy should be up-to-date and tested for vulnerabilities regularly. Engaging IT or a third-party to test this will lower the risk for a breach.
PCI Compliant Hosting
A simple way to ensure your organization remains PCI complaint is to use a PCI compliant hosting solution. These solutions use technology, processes like MFA and stay current with PCI DSS requirements as they evolve.
LightEdge’s completion of ROC (PCI) validates the company as a PCI-DSS Level 1 Service provider, assuring clients that LightEdge data center facilities meet the prescriptive PCI physical security requirements. Compliance is one of our top priorities throughout all of our services and solutions, so much that LightEdge can assume compliance risk on behalf of our customers.
Want to learn more about our PCI compliant hosting solutions? You can talk to one of our security experts now. Contact us here.