PCI regulations are changing. And MFA is a big part of it.

PCI Multi Factor Authentication

As of today,  anyone responsible for treating or handing personal card data will be subject to even more stringent security requirements to meet the latest PCI-DSS guidance.

While some may roll their eyes at what they might see as regulatory box-checking and administrative burden, we think that given the numbers of cards still being exposed in breaches, it’s time some of the existing loopholes are closed off for good.

Why? Because PCI-DSS 3.2 recognises that compliance needs to be applied more broadly and consistently across the whole business:  Breaches can – and do – come from all areas of an organisation, not necessarily via the most direct lines of attack.

Attackers don’t need direct systems access, or access via a console when there are wider organisational weaknesses giving access through a side door. And it’s in these areas that PCI-DSS aims to close off some gaps.

A lot of those gaps can be closed through appropriate implementation of Multifactor Authentication. Under the new regulations, personnel at a broad range of access levels will need MFA- secured authorisation to work with credit card data:

  • All personnel with non-console based access to the data (for example, customer support staff who may need access to deal with billing enquiries)
  • Personnel with remote access to the data environment, from within a trusted internal or external network (e.g VPN, web access, etc) will all need to authenticate via MFA.
  • Personnel with direct administrative responsibility for data
  • Personnel with physical access to devices on which data is held (e.g servers and databases).

These changes potentially pose additional challenges to system admins

Firstly, it’s likely that companies will need to manage multiple users – and groups of users with differing levels of authentication requirements and keep those requirements regularly updated.

Secondly, to demonstrate compliance, regular reporting is required to demonstrate how access is obtained, by whom and via what authentication type.

I say potentially, because with the right choice of MFA solution, these needn’t be the challenge they may seem:  SecurEnvoy’s industry leading MFA tool, SecurAccess, enables creation and remote management of user groups, enabling you to add, remove and update group members on-the-fly and with minimal fuss. Plus, with the fully redesigned, intuitive UI of SecurAccess V9, regular and ad-hoc reporting can be managed with the click of a button.

Acceptable MFA factors, both for PCI and, in our views any other use, are:

  • Something only you know
  • Something only you have (mobile device)
  • Something only you are (fingerprint, ocular scan, face scan)

While some providers will allow other factors to be used — such as geolocation, time of day or IP address —these count towards the two-factor minimum and should not be treated as an additional security level of any value.

Not all MFA is created equal – making the right choice now can save hours of admin and £1000s in potential penalties. 

The best providers ensure users and admins are able to gain access to the information they need quickly, securely and with authorisation types to suit all environments and preferences. And that’s what SecurEnvoy has been delivering since we invented tokenless two-factor authentication a decade ago.

The deadline for compliance has now come and gone. If you still need to understand more about your obligations under PCI-DSS 3.2, and how SecurAccess can help you get compliant quickly and with minimal administrative burden, contact us via email at or call 0845 2600010.

Category: Product Updates


Multi-Factor Authentication



Any user. Any device.

For companies that take authentication seriously.

Learn more about SecurEnvoy MFA
Cyber Security Blog

Hear more from
our security

Sign-up today

What to read next...