Skip to content
Multi-Factor Authentication has significant changes in PCI DSS 4.0, and Requirement 8 applies to everyone.

PCI 4.0: What You Need To Know About Requirement 8 & MFA In Contact Centers

It has been a year since PCI DSS v4.0 was officially announced, and its implementation date is just around the corner. One of the major changes that will be seen in PCI 4.0 is an emphasis on multi-factor authentication (MFA). Requirement 8 experienced a significant overhaul, with every section containing entirely new additions. Last April, the Twosense team broke down many of these changes and what they mean for organizations, which can be found in the What You Need to Know About PCI DSS 4.0 blog.

There are, however, a few requirements that BPOs and their customers should be paying specific attention to because starting soon, BPOs will have to rotate agents' passwords every three months, there will be an increase in MFA challenges to access systems, and cracking down on mandatory timeouts after 15 minutes of inactivity. This will be extremely challenging to manage, but Twosense's one-of-a-kind software will make it a non-issue for BPO contact centers.

These sections include:

  • 8.4.3 MFA is now mandatory for users (agents, admins, vendors, etc.) when accessing the network (e.g., a VPN connection).
  • 8.4.2 Even after that first MFA, MFA is required again for each access request to the card data environment (CDE). 
  • 8.2.8 Session timeouts are now set at NIST-standard 15 mins, after which all of the above must be redone. 

On top of that, there are new requirements for BPOs and service providers specifically, that become difficult without continuous identity controls:

  • 8.3.10 Without continuous security posture evaluation, credentials will need to be rotated every three months. 
  • Furthermore, if the agent’s credentials are managed by your customer, it is your responsibility to see to it that your customer rotates these credentials every three months, again, unless you can implement a continuous security posture evaluation. 

While compliance tends to be complicated to interpret, the primary goal of PCI 4.0 as it pertains to multi-factor authentication is clear: deploy MFA to everyone.

This means every individual –agents, vendors, and third parties– will be required to authenticate when accessing a VPN, again to access the CDE, and again for all applications. An additional measure was added to clarify that completing an MFA challenge into any system does not mean you can forego authenticating into the others. 

It's crucial for BPOs and their customers to pay close attention to these requirements and to take the necessary steps to ensure they are on track to meet the new compliance standards. Failing to comply with these requirements could result in customers churning out, hefty fines, and damages to an organization's reputation.

Implementing MFA is critical in enhancing cardholder data security and reducing the risk of data breaches and it is paramount for BPOs. With Twosense, contact centers will be empowered to deploy secure, PCI-compliant solutions without adding unnecessary friction, which would be extremely challenging to do with traditional MFA. 

Over the next several weeks, the team at Twosense will be doing deep dives into each of the individual requirements listed above and what they mean for BPOs and their customers. Stay informed and get real-time access to valuable information that will help your organization prepare for PCI 4.0. Click the subscribe button now to stay up to date!

More from the Blog

July 21, 2022

Cost Saving With Continuous MFA

BPOs currently face what feels like an insurmountable challenge when it comes to security. Modern MFA solutions either...
March 18, 2022

Compensating Controls for PCI DSS

In 2006, the Payment Card Industry Security Standard Council launched a set of requirements to ensure that...
June 1, 2022

The Unspoken Cost of Hard Tokens in Call Centers

Hard tokens are expensive and high maintenance. It is no secret that contact centers have exceptionally high churn,...

Sign Up for our Blog

We will never share your email address with third parties.