Using Okta Adaptive MFA for PCI 3.2

PCI DSS, or the Payment Credit Industry Data Security Standard, is an industry regulation that applies to any company that accepts credit cards for payments processing. The goal of the standard is to establish best practices in securing consumer information to prevent broad scale breaches of credit card and personal information.

Okta 110916 878%2520%25281%2529 As identity is a key component of a PCI security program, Okta frequently helps companies meet these requirements. In particular, many organizations leverage Okta’s Adaptive Multi-Factor Authentication solution for achieving PCI compliance. Okta AMFA is the preferred solution for companies that need to protect critical data and assets with strong authentication, while maintaining a great end user experience.

With the release of PCI-DSS 3.2 standard and the guidance around MFA, we have seen a lot of questions from customers and prospective customers around what is required, what is not, and how Okta can help you achieve compliance. Let’s dive in...

What is the PCI DSS 3.2 Guidance? PCI published an MFA guidance on 3.2 document that sought to clarify compliance requirements for multi-factor authentication. The guidance can help companies understand best practices in MFA and the way they should be thinking about protecting their business critical infrastructure in the age of web scale attacks and breaches. PCI has gone to great lengths to define these best practices, and so it’s not a stretch to imagine that some of the recommendations in guidance may actually become requirements at some point in the future.

The PCI-DSS 3.2 guidance can be loosely organized around a handful of guiding principles:1. Separation of compromise of different credentials

First, the compromise of one set of credentials should not lead to the subsequent compromise of other sets of credentials. That is to say, credentials should be independent and not linked. The best way to understand this is through a few examples of implementations that would meet or not meet this principle:

  • A website protects its login by requiring a strong password and a token emailed to the user. This would NOT be compliant under PCI 3.2, as there are no controls to ensure the user isn’t re-using the same password on their email account. In this scenario, if an attacker was able to guess, phish, or otherwise procure the username and password for a user, they could compromise the strong authentication scheme of the system by simply gaining access to the email and target system.

  • A website protects its login by requiring a strong password and an out-of-band, push-based authentication mechanism to a mobile device (such as Okta Verify). This would be compliant under PCI 3.2 as a compromise of the password would not allow for the compromise of the physical mobile device.

2. True MFA requires at least two of: what you know, what you have, and what you are

PCI organizes authenticators into three different categories: what you know, what you have, and what you are. They then require that strongly authenticating means presenting credentials that verify at least two of the aforementioned. Let’s look at a few examples of implementations that would either meet or not meet the above requirement:

  • A website protects its login by requiring a strong password and knowledge of an identifying question (what is your mother’s maiden name). This is NOT compliant under PCI 3.2, as it is using two Things You Know factors.

  • A website protects its login by requiring a strong password and a token generated by a mobile device or keyfob. This IS compliant under PCI 3.2, as it requires a Thing You Know factor and a Thing You Have factor.

Okta can help our customers to achieve PCI compliance in this regard using a broad range of our strong authenticator experiences. Okta Verify supports both an out-of-band push experience as well as a one-time passcode. Additionally, we support strong authenticators such as U2F compliant tokens and integration into Windows Hello framework. Both of these provide phishing protection, as well as cryptographic verification of a possession factor (Thing You Have). Windows Hello can also be configured to use facial recognition for verification thereby providing a biometric factor verification (Thing You Are).

3. Use adaptive policies to reduce risk

Although it not a replacement for multi-factor authentication, good adaptive policies can be used to reduce your attack surface and reduce overall risk. These might be used to restrict access to on-network traffic, restrict access to certain locations, block access from Tor exit nodes, and so forth. Okta provides a comprehensive solution around adaptive risk based policies that will allow your business to reduce risk without compromising on usability.

4. Multi-factor vs multi-step authentication

This is a hot topic amongst those in scope for PCI. In the 3.2 guidance, PCI draws a distinction between multi-step (or “step up”) authentication and multi-factor authentication. Multi-step authentication validates credentials in a series of subsequent steps. The concern with such a mechanism is that, through repeated attempts at verifying credentials, an attacker can ascertain the validity of a single credential at a time, thereby reducing the overall strength of the authentication mechanism. Multi-factor authentication on the other hand, asks that at least two of the different types of factors as described above (what you are, know, or have) are validated simultaneously so as to prevent the deduction of either’s validity independently.

It is important to call out that multi-factor vs. multi-step is not yet a requirement for PCI compliance. However, it is also not a stretch to assume that PCI may look to incorporate this as a hard requirement in the future. In that vein, Okta is committed to partnering with our customers to ensure they can continue to use Okta for achieving PCI compliance as these requirements evolve.

Okta is Here to Help In the brave new world of internet scale attacks and breaches, we look to authorities such as PCI to push the envelope in defining standards and best practices in strong authentication solutions that will help keep customer data more secure. That said, we also know that keeping up with the myriad of compliance requirements for your business can be challenging.

Okta is here to help. We meet all identity management requirements of PCI and can enable your business to become PCI certified faster. Most importantly, we will be your partner. We will work to keep you and your customers secure against a rapidly evolving threat landscape and your business compliant in the shifting regulatory environment.

To learn more about how Okta can help with security and compliance, visit