Implementation of PCI standards in the call center environment has continued to prove difficult, leaving many facilities non-compliant, and ultimately vulnerable to data breaches, fines, potential lawsuits, and reputational damage. While organizations work diligently to balance requirements and best practices, deploying MFA while adhering to PCI compliance has been a significant sticking point. PCI compliance appears to be nearly impossible to meet, and organizations are despairing at the daunting task of meeting the requirements. However, the path to compliance is there, hidden in the PCI DSS documents, and it all points to behavioral biometrics. Let’s walk through it.
PCI and MFA
The Payment Card Industry Security Standards Council (PCI SSC)’s Data Security Standards PCI DSS version 3.2 were developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Of note here, is that multi-factor authentication (MFA) is mandatory per PCI DSS requirement 8.3.1: Identify and Authenticate Access to System Components.
To see what qualifies as a factor for MFA, we need to look at PCI DSS MFA Guidance V1, which states “MFA requires at least two of the three authentication methods described in PCI DSS Requirement 8.2.”
- Something you have, like a mobile phone or hard token
- Something you know, such as a password, and
- Something you are, such as a biometric.
All standard MFA tools either rely on a mobile phone or a dedicated hardware token such as a Yubikey or RSA token. The logistics and security of managing hard tokens make them prohibitive for call centers, leaving mobile software tokens only. However, for call centers, PCI SSC published Protecting Telephone-Based Payment Card Data 3.0 to provide further clarity on guidance for telephone-payment environments to better manage the risk of fraudulent activity. One strong recommendation in Section 4.1- Risks and Guidance in Simple Telephone Environments, encourages facilities that process payment transactions to restrict mobile phones at agents' workstations or on the call center floor.
“Restricting the recording of account data is essential to maintain a secure environment. This may mean implementing processes to restrict access to: notebooks and pens, mobile phones capable of taking notes, any device that enables voice recordings, and where account data is input into a system any device capable of taking pictures.”
With “something you have” no longer a practical option, that leaves “something you know” (a password) and “something you are” (a biometric).
Something You Are
While PCI guidance recommends biometric authentication, it does not specifically define what is considered a biometric factor. For that, PCI DSS relies on NIST for guidance:
“PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. ”
The MFA Guidance document links specifically to NIST Special Publication 800-63 for that. SP 800-63 defines the term biometrics in the following way:
“Biometrics: Automated recognition of individuals based on their biological and behavioral characteristics,”
Here, NIST clearly labels behavior as a biometric, which is in line with their current approach to Zero Trust. NIST advocates for behavior as a factor across the board, with NIST Special Publication 800-207 Zero Trust Architecture as a prime example. This is also in line with international regulation, where behavioral characteristics have been approved by the UK ICO as a strong authenticator for EU payments PSD2.
In simple terms, biometrics measure something that is intrinsically part of an individual. This includes how a user behaves when they interact with a computer. Without a viable “something you have” in the call center, biometrics is the only solution to PCI MFA compliance, including behavioral biometrics.
Twosense has developed a cutting-edge, no-phone, software-only multi-factor authentication designed specifically for call centers to meet PCI compliance with behavioral biometrics. Twosense software takes into consideration the way a user types, the rhythm in which they use a keyboard, mouse movement, time patterns, app usage, and system flow. The biometric data is passed into a cloud-based machine learning system that builds a model of each user’s behavior, which is then used to authenticate users.
Identity verification via biometrics means no mobile app, no hardware tokens, and no additional equipment like thumbprint readers. Because users are automated out of the multi-factor process, Twosense MFA also meets the phishing-resistant MFA guidance set forth by the OMB and Biden Administration “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles” initiative.
Biometric MFA Is The Answer
So, do behavioral biometrics meet PCI compliance standards? The answer is yes. According to PCI SSC, NIST, and the European Commission, behavioral biometrics do meet PCI DSS 8.3.1 and PSD2 requirements for multi-factor authentication. To learn more about Twosense software-only MFA, please visit www.twosense.ai.