Passkeys and PCI
How do your customer service representatives (CSRs) authenticate to payment software in order to process transactions?
You may have heard this question recently from an auditor on your latest PCI audit. That’s because PCI 4.0 began mandating multi-factor-authentication (MFA) to the cardholder data environment (CDE) for all non-console access. While this was a significant headache for many organizations, who formerly relied on long passwords or rotating policies to manage “secure” access, the grey clouds of change have not come without their silver lining. First, let’s start with the original control:
Using the defined approach, any employee utilizing the CDE for aspects of their job (like CSRs using payment systems to complete customer payments etc.) would need to utilize a second factor of authentication to gain access to the CDE to do their work. Simple enough, right?
Recently, the council released this FAQ regarding passkeys and the ability to meet PCI DSS requirement 8.4.2. To sum up the article, organizations can implement synced passkeys, setup according to the FIDO2 requirements, to count as “phishing resistant authentication” in place of MFA.
For the astute merchant-reader, several questions might arise. While I don’t have time to address all in detail, I thought I would provide at least some links below:
3. What are the FIDO2 requirements? (a brief overview with links to more details)
What does this mean for the merchant in search of annual PCI compliance? If you implement and utilize synced passkeys according to the proper requirements, your users might thank you, and you could shave time from your audit as well. It will be incumbent on your PCI auditor to annually validate that your passkey solution is implemented properly, but that could save some time. However, this could open numerous avenues to achieve compliance without having to think about “passwords + MFA” and more multi-factor hoop jumping. Let’s face it, many forms of MFA are great at being “secure” but often run into issues with daily usability and you probably have thousands of legitimate CDE logins for every one compromise.
Some of you might be wondering about MFA when it comes to 8.4.1 and 8.4.3. Well the council hasn’t been silent there either. Since those controls deal with administrative access and remote access, passkeys alone won’t work for them. Given the sensitivity and broad access those doors could provide though, their reasoning makes sense.
So if you are thinking about passkeys, there may not be language in the DSS specifically, but there is already some guidance!
