Multi-factor authentication

The PCI DSS is changing - make sure your organisation is compliant by 1st February 2018

Contact us

12th December 2017

From 1st February 2018, PCI DSS Version 3.2 makes multi-factor authentication (MFA) mandatory when accessing System Maintenance. As a CivicaPay user, your organisation must meet this requirement in order to be compliant. Civica’s PCI compliance status also requires all customers to utilise MFA. 


What is multi-factor authentication?

MFA is a method of providing multiple means of validating identity when attempting access, allowing users to meet security requirements. Users may authenticate by presenting any two of the following:

  • Something they know  (e.g. username/password)

  • Something they have (e.g. hardware token/mobile device)

  • Something they are (e.g. biometrics)

PCI DSS provides further guidance here.

One of the key initial objectives of the PCI standard was to reduce the risk of fraud to card issuers and this new ‘MFA’ requirement is an extension of meeting that objective. 

It should be noted that Multi factor authentication is broadly considered to be best practice to secure access to systems whether these be in scope of PCI or not. For example, it assists with GDPR by providing additional ‘checks’ before access to sensitive data is authorised.


Multi-factor authentication – the PCI DSS requirement

Under PCI DSS Version 3.2, requirement 8.3 (and its sub-requirements) states “Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication”.

Civica’s qualified security assessor has advised that access to system maintenance in the cardholder data environment falls under this requirement.

If you are a Hosted customer, this brings into scope all users with access to hosted system maintenance (locally installed system maintenance is not in scope of this requirement).


Our solution

To meet the PCI DSS MFA requirement, CivicaPay’s solution, validated in principle by our qualified security assessors, will utilise hardware secure ID tokens – these provide users with ‘something they have’. In tandem with the standard application username/password required for System Maintenance, the solution will provide multi-factor authentication.

  1. User enters system maintenance URL into their browser

  2. User is redirected to a new authentication page hosted by Civica. User will be required to enter the hardware token PIN

  3. Civica will authenticate the PIN entered (via integration with a 3rd party supplier)

  4. Repeated incorrect PIN entry will deny access

  5. Correct PIN will redirect the user to the login page of system maintenance.

Please refer to the high level diagram for a visual representation.


Frequently asked questions

What does the price include?

  • Integration between Civica's Hosted platform and 3rd party authentication platform

  • All hardware tokens

  • Boxed delivery to each nominated user

  • Initial set up of users for token use

  • Lost/broken token support

  • Means for nominated users to 'self-administrate'

  • Civica administrator support via the Helpdesk

Why is PCI now mandating multi-factor authentication?

One of the key initial objectives of the PCI standard was to reduce the risk of fraud to card issuers and this MFA requirement is an extension of meeting that objective. 

It should be noted that multi-factor authentication is broadly considered to be best practice to secure access to systems whether these be in scope of PCI or not. For example, it assists with GDPR by providing additional ‘checks’ before access to sensitive data is authorised. 

Why use hardware tokens rather than software tokens?

Initial feedback was requested from select customers on a software token solution. The consensus was that hardware tokens were preferred. 

Feedback suggested that administrator access to mobile devices/a secondary e-mail address was not readily available. From this initial feedback, the hardware token option was pursued. The solution is inclusive regardless of local IT policy or assumptions around available devices (for the 'something you have' element). We have been advised that SMS may be deprecated as a means of providing MFA support for PCI DSS.   

Why is System Maintenance in scope and WebPayStaff not?

The requirement for Multi Factor Authentication is a PCI DSS requirement for any organisations ongoing compliance under Version 3.2. That standard says "Secure all individual non-console administrative access...using multi-factor authentication". 

System Maintenance is an administrative platform and therefore falls under scope. WebPayStaff is not an administrative system, so is exempt. 

To provide a practical example: 

Within Webpay - a user may perform the functions to which they have been granted permissions (which may include refunds). 

Within System Maintenance, you may create, delete and edit permissions of users themselves i.e. setup a user to perform refunds and then remove them. It is possible in this scenario to create a risk around cardholder data regardless of the fact the actual card numbers are not compromised. A further example is that there is scope for changing data encryption keys within system maintenance. 

To be clear - In neither application is card data exposed to the user or administrator. Multi-factor authentication better secures administrative functions which in turn better secures cardholder data. We have had numerous and lengthy communications with our qualified security assessors over the past 12 months and we have been advised that this is a PCI DSS requirement for all customers. 

Fundamentally - PCI has deemed that administrative functions should be secured via Multi-factor authentication and this includes System Maintenance. 

MFA is not required currently to secure standard CivicaPay users, though customers may of course choose to implement this if desired. It is not a PCI requirement at present (and there are no current indications that it will become a requirement). As above, it can assist with the likes of GDPR and other ‘regulatory’ requirements by removing reliance on username/password only for accessing sensitive data. 

Can I use a single token for multiple users?

No, each user must have their own token and be responsible for it. Sharing a token is broadly equivalent to sharing any other authentication method such as a password. Users are assigned to tokens. 

Do I need to upgrade my ICON/CivicaPay software version?

The solution does not require customers to upgrade/change their version of ICON software. Integration with the token provider has been achieved outside of the ICON application. This ensures all customers can implement the solution quickly and without dependencies whilst meeting the requirements of the standard. 

Contact us now to secure your multi-factor authentication solution

Please complete the form below and we will be in touch as soon as possible.

Multi-factor authentication

The PCI DSS is changing - make sure your organisation is compliant by 1st February 2018

Contact us