Payment Card Industry now requires Two-Factor Authentication

May 11, 2016

Credit card data theft protection

The PCI Security Standards Council have just announced the release of the newest version of the industry standard for payment data protection, the PCI Data Security Standard (PCI DSS). The latest standard now requires Two-Factor Authentication (2FA) as well as encryption and penetration testing by companies that accept consumer payment.

Formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc, the PCI Security Standards Council is a global body responsible for maintaining, developing and promoting the Payment Card Industry Security Standards while providing tools essential to the implementation of standards such as assessment and scanning qualifications, self-assessment questionnaires and training and product certification programs.

Under the latest rules, administrators with non-console administrative access to a systems handling card data must have 2FA when they log in, either locally or remotely.

Prior to the latest release, this requirement applied only to remote access from untrusted networks, however with stolen credentials now comprising 63 percent of all confirmed data breaches according to a report from Verizon, a second layer or security is required to prevent security breaches

“A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” said PCI Security Standards Council Chief Technology Officer Troy Leach in a statement.

With the latest improvements lauded by security experts, following PCI security standards is not just about compliance – according to PCI – it’s simply just good business.

“Such standards help ensure healthy and trustworthy payment card transactions for the hundreds of millions of people worldwide that use their cards every day”

The body’s founding members have also agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of their technical requirements for each of the data security compliance programs.

With Version 3.1 expiring later this year, on 31 October 2016, companies that accept consumer payment are advised to adopt the latest standard (PCI DSS 3.2) as soon as possible to prevent, detect and respond to payment data breaches. You can review the recommendations of the standard in full here.

For more information about Two-Factor Authentication (2FA) and how we can help you protect your accounts, please contact our sales team at


Tweet about this on TwitterShare on Facebook0Share on Google+0Share on LinkedIn0Email this to someone