Two-Factor To Multi-Factor — Why This PCI DSS 3.2 Naming Change Is A Big Deal

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard to concern yourself with, if you’re running a business dealing with credit cards.

Like most other security standards, the PCI DSS is an evolving one, advocating new safeguards or moving away from newly discovered vulnerabilities (such as SSL/ early TLS).

But as we were reading a blog post from the PCI Council’s official blog, titled ‘Preparing for PCI DSS 3.2: Summary of Changes’, they listed the naming convention change from ‘two-factor authentication’ to ‘multi-factor authentication’ as being, and we quote: “one of the biggest changes coming in PCI 3.2”.

Why is that?

The Difference Between Two-Factor Authentication and Multi-Factor Authentication

To understand why this is a big deal, we have to understand what two-factor authentication (2FA) and multi-factor authentication (MFA) are, and how they differ.

2FA is the addition of a second safeguard to your authentication process. For example, logging into your Gmail account typically only requires you to enter your password: one round of authentication, 1FA. This is generally considered unsafe, because anyone who manages to get ahold of your password has full access to your account.

If you set up 2FA, logging into your Gmail account will require you to not only provide your password, but also an additional form of authentication. Typically, keying in a special code sent to your cell phone. In short, if you have 2FA activated on your account, not only will hackers need to have your password, but also access to your cell phone.

MFA differs from 2FA in the sense that multi implies more than two, meaning that you are using two or more levels in your authentication process.

Why Is This Name Change A Big Deal?

At first glance, it doesn’t look like a big change for many — since MFA requires the use two or more levels of authentication, many companies will still be opting to use the same bare minimum of two levels they have been using in past versions of the PCI DSS.   

Even the official blog post, which lists the change as being “one of the biggest in PCI DSS 3.2,” doesn’t really go into details as to why this is a big deal- if anything, this paragraph extract seemingly implies the opposite:

“Previously in the PCI DSS, we required any untrusted, remote access into cardholder data environment to use “two-factor authentication” which is the equivalent of multi-factor authentication. Changing the naming convention simply provides consistency that it must be at least two credentials at a minimum.”

Surely, by looking at the equivalence being drawn between 2FA and MFA, you would think the name change is no big deal. However, the reason this change actually means something is said in the use of the word ‘minimum’.

Using the term 2FA implies that companies should stop at having two-factors of authentication when in reality they should be shooting for more.

Minimal? In Data Security?

Security standards focus on providing a benchmark for security, which is usually right on the line of the minimum you need to avoid or mitigate the risk of getting hacked. The PCI DSS, and other security standards, make it easy for organizations to understand what they need to do to lay a solid foundation for data security. So if they say you should be authenticating two credentials at minimum, what they actually mean is that two is great, but getting more would be most excellent.