Diff: FAQ #1078
Is two-factor authentication required between two different segments of an internal network?
Earlier Version
Later Version
Removed
Added
As defineddescribed in PCI DSS Requirement 8.3, multi-factor authentication (previously referred to as two-factor authentication) is required for all remote network access that originates from outside the entity’s own network, where that remote access could lead to access to the cardholder data environment (Requirement 8.3.2). This typically applies where the access originates either from the Internet or from an ?untrusted? network or system; for example, access from a third party location or access by personnel from a portable computer over the Internet.
As of PCI DSS v3.2, multi-factor authentication (MFA) is also required forall remotenon-console connections to the CDE for personnel with administrative access (Requirement 8.3.1*). This includes connections that originate from within the company?s internal, ?trusted? network. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for further guidance on ?administrative access? and ?non-console access?.
The requirement to use multi-factor authentication for non-console administrative access to the CDE is limited to individuals with administrative privileges. It does not apply to non-administrative users nor does it apply to machine accounts, such as system or application accounts performing automated tasks.
Multi-factor authentication can be implemented at the networkaccess that originates from outside the entity’s own network, where that remote access could lead to access to the cardholder data environment. This typically applies where the access originates either from the Internetlevel or fromat system/application level; it does not have to be both. For example, if an ?untrusted” networkadministrator uses multi-factor authentication when logging into the CDE, they do not also need to use MFA to log into a particular system or system; for example, access fromapplication within the CDE.
* Per PCI DSS v3.2, Requirement 8.3.1 is athird party location or access by personnel frombest practice until January 31, 2018, after which it becomes a portable computer over the Internet. Internal company communications between different network segments within the same entity is not generally considered remote access, as both locations are under the control of the same entity and would be considered ?trusted?. Two-factor authentication is therefore not required for communications between trusted segments of an internal network. However, if an internal network segment is used to facilitate access between an untrusted network and the CDE, two-factor authentication is required for connections from the untrusted network to the internal network.
If remote access is to an entity?s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, two-factor authentication for remote access to that network would not be required. However, two-factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity?s networks.requirement.
As of PCI DSS v3.2, multi-factor authentication (MFA) is also required for
The requirement to use multi-factor authentication for non-console administrative access to the CDE is limited to individuals with administrative privileges. It does not apply to non-administrative users nor does it apply to machine accounts, such as system or application accounts performing automated tasks.
Multi-factor authentication can be implemented at the network
* Per PCI DSS v3.2, Requirement 8.3.1 is a
If remote access is to an entity?s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, two-factor authentication for remote access to that network would not be required. However, two-factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity?s networks.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.