The idea of ?two-step??Two-step? or ?multi-step? authentication (e.g.is not the same as ?two-factor? or ?multi-factor?. ?Two-step? or ?multi-step? authentication involves the subsequent presentation of aone secondaryor more authentication stepsteps after the first authentication step is successfully performed)performed. doesThis approach is not meet the Council?ssame definition ofas ?multi-factor? authentication, unlessas botheven ofthough the followingoverall conditionsprocess aremay met:

Therely wholeon multiple authentication processmethods, requireseach atstep leastrelies twoon ofa single authentication factor.

Refer to the threeInformation authenticationSupplement: methodsMulti-Factor describedAuthentication Guidance, available under Guidance Documents in the PCI DSSSSC RequirementDocument 8.2

a. Something you know, such as a password or passphrase

b. Something you have, such as a token device or smartcard

c. Something you are, such as a biometric

All of the authentication mechanisms used must be independent of one another, meaning access to a secondary authentication mechanism cannot be dependent on the first (for example, relying on username/password authenticationLibrary, for bothfurther user authentication as well as governing access to an email account where a secondary factor is sent).guidance.