PA-DSS requirement 10.1
Multi-factor authentication must be used for all remote access to the payment application that originates from outside the customer environment
Maitre’D by itself does not accept remote connections. However, most modern operating systems include remote access tools such as Microsoft Remote Assistance and Microsoft Remote Desktop. Also, many web-based remote access tools are available, such as Cisco System’s WebEx or Logmein.com’s LogMeIn.
In order to be PA-DSS compliant for all remote access originating from outside your network to the Maitre’D Back-Office server must use multi-factor authentication. The solution you use must be configured for user authentication with at least two out of the following 3 factors:
Something you know
Something you have
Something you are
Something you know
Something you know could be any combination of username, password, PIN or passphrases. Note that using the same factor twice does not count as two-factor authentication. Thus, using two or even three layers of different usernames and passwords does not count as two-factor authentication, and is therefore not compliant with PA-DSS nor PCI-DSS requirements.
Something you have
Something you have is typically something you can physically hold in your hands, and which will be used to authenticate you. An example of this is security tokens. These tokens have a password displayed on them, which changes every minute. When connecting remotely, the use of a username and password (Something you know) in combination with such a token (something you have) would meet PA-DSS requirement.
Something you are
Something you are means using biometric readers. For example, a system that allows you to login only after entering a username, password and a fingerprint scan would meet the two-factor authentication requirement.
Definition of multi-factor authentication
Multi-factor authentication means using at least two of the three factors described above. Using one factor twice does not count as multi-factor authentication. For example, using two or more layers of different usernames and passwords along with PINs and passphrases does not count as multi-factor authentication. You need to use two different factors out of the three factors listed above to meet the multi-factor authentication requirement.
A perfect example of two factor authentication is the use of passcode generating tokens along with username and password authentication. The Username and password part constitutes “Something you know” while the passcode-generating hardware token counts as “something you have”. In this scenario, the remote access system is configured to request the username, the password and the token’s passcode.
Last updated
