One of the most common questions we get from customers is regarding requirement 8.3.1 of PCI DSSv3.2:
In its latest revision, PCI extends MFA as a requirement for all personnel with administrative access (console and non-console), in addition to any personnel with remote access to the Cardholder Data Environment (CDE).
The requirement to secure all administrative access to the CDE with MFA should come as no surprise. After all, most data breaches in the retail sector involve unauthorized access to the cardholder data environment.
PCI explains that the effectiveness of passwords as an authentication mechanism is questionable, therefore additional security measures are required. In fact, in an interview with Troy Leach, PCI Security Standards Council Chief Technology Officer, he explains:
“The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.”
So there’s no doubt that the requirement makes sense. However, addressing this requirement is not trivial in most CDE environments due to the nature of the systems and tools in scope.
Where’s the challenge?
The scope of the CDE environment includes any systems that process, store and/or transmit cardholder and payment data, as well as anything that directly connects to, or supports, this environment.
This means that you need to enforce MFA on the following list of systems and tools that are typically found in CDEs:
- Any homegrown system that processes, stores or transmit credit card and payment data
- All relevant production servers – Windows and Linux
- Critical IT infrastructure – including Hypervisors, V-Center, Network devices, File Shares, Databases
- Virtual Private Network (VPN)
- Virtual Desktop Infrastructure (VDI)
- PAM solutions (like CyberArk)
- Remote Desktop (RDP)
- Secure Shell (SSH)
- Any cloud services that might be part of the processing
As you can see, depending on the mix of systems and tools in your CDE environment, not only will you need to implement multiple MFA solutions or complex network segmentations — a difficult task on its own — it would be unfeasible for many of these systems. Why? Because no out-of-the-box support is available or because their sensitive and critical nature won’t allow you to deploy any software agents or proxies, or make any configuration changes. After all, nobody wants to risk the availability and stability of any critical production system.
Securing All CDE Access with Silverfort’s Agentless MFA
Silverfort’s holistic authentication platform enables organizations to add MFA to any system — including systems that were considered unprotectable until today — without deploying any software agents, implementing proxies or requiring any configuration changes. This enables our customers to easily protect all their CDE systems, as well as any access to those systems and address PCI DSS requirement 8.3.1. Here’s how:
How does it work?
1) Silverfort monitors and analyzes all user access requests across all systems and environments by looking at the authentication protocols. This means that it doesn’t need to integrate with any CDE system, or require use of any software agents.
2) By adding MFA on top of the authentication protocols, rather than per system, Silverfort can protect any system, including homegrown applications, sensitive production servers, PAM solutions and administrative access (RDP, SSH), IT infrastructure and more.
3) Silverfort continuously analyzes risk and trust levels across the network using an advanced AI-driven risk engine. Because Silverfort monitors and analyzes all user and machine access requests — and isn’t limited to specific protected systems — it analyzes about 50x more information than any other adaptive authentication solution. This enables it to accurately detect behavior-based anomalies and recognize malicious patterns such as brute force attacks, lateral movement, ransomware and more, and apply effective risk-based authentication policies to block threats in real-time. What’s better, it does all this while allowing legitimate users to continue their work with minimal disruptions. It can also step up authentication requirements in response to third-party security alerts.
Pretty cool, but what about a real life scenario? We’re glad you asked!
BlueSnap Customer Case Study:
To comply with PCI DSS requirement 8.3, BlueSnap, a global payment processor, needed to implement MFA on VMware vCenter Server, which is the IT infrastructure supporting the Cardholder Data Environment, as well as for any access to production Linux servers. They needed an MFA solution that does not require special integration or installation of software agents.
They selected Silverfort to secure all privileged access, including RDP, SSH, and admin access to vCenter. The implementation was quick and easy. A proof of concept was set up in just a couple of hours, and within a month BlueSnap extended the solution to secure privileged access in all offices across the globe.
In addition to the 8.3.1 requirement, Silverfort can address other PCI DSS requirements with a unique and holistic approach – ask us for a demo to learn more.