Diff: FAQ #1449
Is two-step authentication acceptable for PCI DSS Requirement 8.3?
Earlier Version
Later Version
Removed
Added
Two-step or multi-step authentication may be acceptable for PCI DSS v3.2 Requirement 8.3, if all of the following conditions are met:
The authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smartcard
- Something you are, such as a biometric.
The authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.
Refer to the Information Supplement: Multi-Factor Authentication Guidance, available under Guidance Documents in the PCI SSC Document Library, for additional guidance and best practices.
The authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smartcard
- Something you are, such as a biometric.
The authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.
Refer to the Information Supplement: Multi-Factor Authentication Guidance, available under Guidance Documents in the PCI SSC Document Library, for additional guidance and best practices.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.