Multi-factor authentication

• Integration between Civica's Hosted platform and 3rd party authentication platform
• All hardware tokens
• Boxed delivery to each nominated user
• Initial set up of users for token use
• Lost/broken token support
• Means for nominated users to 'self-administrate'
• Civica administrator support via the Helpdesk

One of the key initial objectives of the PCI standard was to reduce the risk of fraud to card issuers and this MFA requirement is an extension of meeting that objective.

It should be noted that multi-factor authentication is broadly considered to be best practice to secure access to systems whether these be in scope of PCI or not. For example, it assists with GDPR by providing additional ‘checks’ before access to sensitive data is authorised.

Initial feedback was requested from select customers on a software token solution. The consensus was that hardware tokens were preferred.

Feedback suggested that administrator access to mobile devices/a secondary e-mail address was not readily available. From this initial feedback, the hardware token option was pursued. The solution is inclusive regardless of local IT policy or assumptions around available devices (for the 'something you have' element). We have been advised that SMS may be deprecated as a means of providing MFA support for PCI DSS.

The requirement for Multi Factor Authentication is a PCI DSS requirement for any organisations ongoing compliance under Version 3.2. That standard says "Secure all individual non-console administrative access...using multi-factor authentication".

System Maintenance is an administrative platform and therefore falls under scope. WebPayStaff is not an administrative system, so is exempt.

To provide a practical example:

Within Webpay - a user may perform the functions to which they have been granted permissions (which may include refunds).

Within System Maintenance, you may create, delete and edit permissions of users themselves i.e. setup a user to perform refunds and then remove them. It is possible in this scenario to create a risk around cardholder data regardless of the fact the actual card numbers are not compromised. A further example is that there is scope for changing data encryption keys within system maintenance.

To be clear - In neither application is card data exposed to the user or administrator. Multi-factor authentication better secures administrative functions which in turn better secures cardholder data. We have had numerous and lengthy communications with our qualified security assessors over the past 12 months and we have been advised that this is a PCI DSS requirement for all customers.

Fundamentally - PCI has deemed that administrative functions should be secured via Multi-factor authentication and this includes System Maintenance.

MFA is not required currently to secure standard CivicaPay users, though customers may of course choose to implement this if desired. It is not a PCI requirement at present (and there are no current indications that it will become a requirement). As above, it can assist with the likes of GDPR and other ‘regulatory’ requirements by removing reliance on username/password only for accessing sensitive data.

No, each user must have their own token and be responsible for it. Sharing a token is broadly equivalent to sharing any other authentication method such as a password. Users are assigned to tokens.

The solution does not require customers to upgrade/change their version of ICON software. Integration with the token provider has been achieved outside of the ICON application. This ensures all customers can implement the solution quickly and without dependencies whilst meeting the requirements of the standard.