As a retail, hospitality, and travel organization, people turn to you for joy and to create a lifetime of happy memories through the services and experiences you provide. To build the relationship with customers and ensure you can deliver the highest level of service, collecting and storing sensitive information such as payment card data (PCI), personally identifiable information (PII), loyalty program details, reservation data, purchase history and other customer data is required. This accumulation of data that is often critical to operations is seen as a treasure trove to malicious actors, who continue to perpetuate data theft against the R&H sector.
According to the 2024 Verizon DBIR report and in RH-ISAC’s analysis of the data, phishing, ransomware, and credential harvesting remain top threats to businesses within the R&H sector. Both the industry and users are concerned about the potential for financial and reputational damage – so what is being done to protect sensitive PCI data that is being collected? This is where a modern authentication strategy can help your business and customer stay secure from continuously evolving cyber threats.
Protecting payment card data
The PCI Security Standards Council (PCI SSC) notes their mission is to bring together payment industry stakeholders to develop and drive adoption of data security standards. They hold organizations accountable around the world for implementing higher levels of cybersecurity to safeguard sensitive information and the payment ecosystem. PCI SSC phased in many sections of version 4.0 of the PCI Data Security Standard (DSS) as the aging v3.2.1 was retired this year. The PCI SSC continues to enhance the standard, as seen with the recently released v4.0.1, which will take precedence retiring v4.0 December 31 2024.
Although some new requirements may not take full effect until 2025, that’s no reason to put them off. PCI DSS v4.0 was designed to address the emerging threat landscape like AI-driven phishing attacks, QR code phishing attacks (Quishing) and other sophisticated social engineering attacks.
PCI DSS v4.0 introduces a number of changes – specifically, 77 are marked as evolving and/or new requirements. Although there are several requirements of importance, we will focus primarily on two that can help protect you from the attacks listed above:
- Requirement 8: the mandate to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
- Requirement 12: sets forth guidance for an information security policy.
Ultimately, there is a great deal of importance and synergy between Requirement 8 and 12 that retail, hospitality and travel organizations should pay particular attention to in order to stay secure.
How PCI DSS v4.0 and v.4.0.1 defines MFA
When reviewing Requirement 8, it expands MFA to include at least one factor for users and administrators and at least two factors of MFA for all access into the cardholder data environment (CDE). This new guidance is consistent with NIST Special Publication 800-63 on phishing-resistant MFA. The Requirement specifically references the FIDO Alliance when choosing authentication factors.
The language in PCI DSS v4.0 specifically references the NIST SP 800-63 update on phishing-resistant MFA. These guidelines state that all MFA processes using shared secrets are vulnerable to phishing attacks — including common factors such as passwords, security questions, mobile-based authentication (SMS) and magnetic stripe cards. NIST defines strong MFA by its use of asymmetric key cryptography to protect against phishing attacks.
Retail and hospitality organizations must now roll out phishing-resistant authentication for all access to the CDE and must consider carefully the authentication factors for other user and administrative access. And now given the revisions in v4.0.1 this only builds on the foundation of what was introduced in v4.0. These revisions cement the ability to comply with the standard when using a phishing resistant passwordless solution.
Protect against phishing using phishing-resistance authentication
Understanding the increasing threat of phishing attacks to businesses globally, enforcing the adoption of phishing-resistant MFA is the focus of many global regulatory agencies. As an example, the US Federal Trade Commission (FTC) took action against a retailer for their cyber breach that exposed data of 2.5 million consumers. The FTC explicitly noted the following authentication security requirements that should be taken into account where it “shall not include telephone or SMS-based authentication methods and must be resistant to phishing attacks.”
Today the only two authentication processes that meet the above requirements of phishing-resistant authentication for access to the CDE include PIV/Smart Card and FIDO2/WebAuthn.
Leveraging passkeys as a new authentication term has gained steam recently, and you may be wondering how this technology fits into phishing-resistant MFA. While passkeys are a new term in the industry, the concept is not new. Passkeys are a new name for FIDO2 passwordless-enabled credentials, a standard that is replacing passwords and phishable MFA logins with more secure passwordless experiences. Device-bound passkeys, like hardware security keys such as the YubiKey, offer enterprises greater control of their FIDO credentials compared to synced passkeys which live in the cloud, and it means credentials on a smartphone, tablet or laptop can be shared between devices.
How are Requirements 8 and 12 related?
Currently, the only exclusion to Requirement 8 is for those user accounts on point-of-sale (POS) terminals that have access to only one card number at a time to facilitate a single transaction. However, this is where we need to take a more careful look at Requirement 12 because your choice in authentication factors at every level has a huge impact on how easy or difficult Requirement 12 compliance will be.
Requirement 12 of PCI DSS details the need for an information security policy and programs, including user training, technical control oversight, and ongoing risk analysis. In combination with other areas of PCI (such as anti-phishing mechanisms), the goal of Requirement 12 is to create and enforce policies to manage evolving threats.
One of those threats specifically outlined is credentials (12.3.1), which are vulnerable to external threat, misuse, or high staff turnover. Further, in instances where passwords/passphrases are used, the compliance requirements increase. In retail, this means checking the box for every new POS user that they have full understanding of information security standards.
Breaches carry a high price tag (on average $2.96 million in retail, $3.36 million in hospitality for a breach) and costly consequences. So what should you keep in mind to make the case for authentication solutions to protect against breaches?
With an understanding of PCI DSS v4.0.1 and v4.0, below are some key takeaways for businesses and how to align them with authentication strategies moving forward:
- The weaker your MFA posture means: the greater your compliance burden, more user training, and more controls to manage risk.
- The solution: apply strong phishing-resistant MFA to all users using device-bound passkeys. In the long run, phishing-resistant MFA helps enterprises cultivate phishing-resistant users; providing authentication that moves with users no matter how they work across devices, platforms and systems
- It is worthwhile to make the business case for how phishing-resistant MFA can be used to bolster your PCI DSS v4.0.1 and v4.0 posture in order to effectively protect sensitive data and secure user access.
To learn more about meeting PCI DSS authentication requirements with phishing-resistant authentication check out this brief.