As of PCI DSS v3.2, multi-factor authentication (MFA) is also required for non-console connections to the CDE for personnel with administrative access (Requirement 8.3.1*). This includes connections that originate from within the company’s internal, “trusted” network. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for further guidance on “administrative access” and “non-console access”.
The requirement to use multi-factor authentication for non-console administrative access to the CDE is limited to individuals with administrative privileges. It does not apply to non-administrative users nor does it apply to machine accounts, such as system or application accounts performing automated tasks.
Multi-factor authentication can be implemented at the network level or at system/application level; it does not have to be both. For example, if an administrator uses multi-factor authentication when logging into the CDE, they do not also need to use MFA to log into a particular system or application within the CDE.
* Per PCI DSS v3.2, Requirement 8.3.1 is a best practice until January 31, 2018, after which it becomes a requirement.
Article Number 1078