Frequently Asked Questions

< Back to search page

In what circumstances is multi-factor authentication required?

FAQ Response

As described in PCI DSS Requirement 8.3, multi-factor authentication (previously referred to as two-factor authentication) is required for all remote network access that originates from outside the entity's own network, where that remote access could lead to access to the cardholder data environment (Requirement 8.3.2).  This typically applies where the access originates either from the Internet or from an “untrusted” network or system; for example, access from a third party location or access by personnel from a portable computer over the Internet. 

As of PCI DSS v3.2, multi-factor authentication (MFA) is also required for non-console connections to the CDE for personnel with administrative access (Requirement 8.3.1*). This includes connections that originate from within the company’s internal, “trusted” network.  Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms  for further guidance on “administrative access” and “non-console access”.

The requirement to use multi-factor authentication for non-console administrative access to the CDE is limited to individuals with administrative privileges. It does not apply to non-administrative users nor does it apply to machine accounts, such as system or application accounts performing automated tasks.

Multi-factor authentication can be implemented at the network level or at system/application level; it does not have to be both. For example, if an administrator uses multi-factor authentication when logging into the CDE, they do not also need to use MFA to log into a particular system or application within the CDE.
* Per PCI DSS v3.2, Requirement 8.3.1 is a best practice until January 31, 2018, after which it becomes a requirement

June 2016
Article Number 1078