Frequently Asked Question

Is two-step authentication acceptable for PCI DSS Requirement 8.3?

Two-step or multi-step authentication may be acceptable for PCI DSS Requirement 8.3, if all of the following conditions are met:

The authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smartcard
- Something you are, such as a biometric.
The authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

Refer to the Information Supplement: Multi-Factor Authentication Guidance, available under Guidance Documents in the PCI SSC Document Library, for additional guidance and best practices.

August 2018

Article Number: 1449

Frequently Asked Question

Frequently Asked Question

Is two-step authentication acceptable for PCI DSS Requirement 8.3?

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated

Copyright © 2006 – 2024 PCI Security Standards Council, LLC. All rights reserved. Terms and Conditions.

Frequently Asked Question

Is two-step authentication acceptable for PCI DSS Requirement 8.3?

Related

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated

Copyright © 2006 – 2024 PCI Security Standards Council, LLC. All rights reserved. Terms and Conditions.