Frequently Asked Question

Yes. PCI DSS v4.x requires the success of all authentication factors before access is granted. However, it is acceptable under PCI DSS to indicate that one factor has been successful before presentation of subsequent authentication factors.

It is recommended that systems either 1) provide no feedback about the success of any factor until all factors are provided, or 2) authenticate with a session-unique factor (for example, a one-time password (OTP) or phishing-resistant factor) before authenticating any factor that is the same across different sessions (such as a password). However, MFA implementations where the success of one factor is indicated prior to the entry of subsequent factor(s) meet applicable PCI DSS requirements for MFA.