“Two-step” or “multi-step” authentication is not the same as “two-factor” or “multi-factor”. “Two-step” or “multi-step” authentication involves the subsequent presentation of one or more authentication steps after the first authentication step is successfully performed. This approach is not the same as “multi-factor” authentication, as even though the overall process may rely on multiple authentication methods, each step relies on a single authentication factor.
Refer to the Information Supplement: Multi-Factor Authentication Guidance, available under Guidance Documents in the PCI SSC Document Library, for further guidance.
Article Number 1426