Frequently Asked Question

Two-step or multi-step authentication may be acceptable for PCI DSS Requirement 8.3, if all of the following conditions are met:

1. The authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:
   • Something you know, such as a password or passphrase
   • Something you have, such as a token device or smartcard
   • Something you are, such as a biometric.
2. The authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

Refer to the Information Supplement: Multi-Factor Authentication Guidance, available under Guidance Documents in the PCI SSC Document Library, for additional guidance and best practices.