Skip to content
Multi-Factor Authentication has significant changes in PCI DSS 4.0, and Requirement 8 applies to everyone.

PCI 4.0: What You Need To Know About Requirement 8 & MFA In Contact Centers

It has been a year since PCI DSS v4.0 was officially announced, and its implementation date is just around the corner. One of the major changes that will be seen in PCI 4.0 is an emphasis on multi-factor authentication (MFA). Requirement 8 experienced a significant overhaul, with every section containing entirely new additions. Last April, the Twosense team broke down many of these changes and what they mean for organizations, which can be found in the What You Need to Know About PCI DSS 4.0 blog.

There are, however, a few requirements that BPOs and their customers should be paying specific attention to because starting soon, BPOs will have to rotate agents' passwords every three months, there will be an increase in MFA challenges to access systems, and cracking down on mandatory timeouts after 15 minutes of inactivity. This will be extremely challenging to manage, but Twosense's one-of-a-kind software will make it a non-issue for BPO contact centers.

These sections include:

  • 8.4.3 MFA is now mandatory for users (agents, admins, vendors, etc.) when accessing the network (e.g., a VPN connection).
  • 8.4.2 Even after that first MFA, MFA is required again for each access request to the card data environment (CDE). 
  • 8.2.8 Session timeouts are now set at NIST-standard 15 mins, after which all of the above must be redone. 

On top of that, there are new requirements for BPOs and service providers specifically, that become difficult without continuous identity controls:

  • 8.3.10 Without continuous security posture evaluation, credentials will need to be rotated every three months. 
  • 8.3.10.1 Furthermore, if the agent’s credentials are managed by your customer, it is your responsibility to see to it that your customer rotates these credentials every three months, again, unless you can implement a continuous security posture evaluation. 

While compliance tends to be complicated to interpret, the primary goal of PCI 4.0 as it pertains to multi-factor authentication is clear: deploy MFA to everyone.

This means every individual –agents, vendors, and third parties– will be required to authenticate when accessing a VPN, again to access the CDE, and again for all applications. An additional measure was added to clarify that completing an MFA challenge into any system does not mean you can forego authenticating into the others. 

It's crucial for BPOs and their customers to pay close attention to these requirements and to take the necessary steps to ensure they are on track to meet the new compliance standards. Failing to comply with these requirements could result in customers churning out, hefty fines, and damages to an organization's reputation.

Implementing MFA is critical in enhancing cardholder data security and reducing the risk of data breaches and it is paramount for BPOs. With Twosense, contact centers will be empowered to deploy secure, PCI-compliant solutions without adding unnecessary friction, which would be extremely challenging to do with traditional MFA. 

Over the next several weeks, the team at Twosense will be doing deep dives into each of the individual requirements listed above and what they mean for BPOs and their customers. Stay informed and get real-time access to valuable information to help your organization prepare for PCI 4.0. Click the subscribe button now to stay up to date!

More from the Blog

March 13, 2023

PCI 4.0: Required 15-Minute Timeouts

With PCI v4.0 making it clear that multi-factor authentication is mandatory for everyone and all network access, it is...
March 20, 2023

PCI 4.0: 3-Month Password Rotations

In contact centers, security is more important than ever before. Still, strict clean desk policies and the cost of hard...
June 12, 2024

PCI v4.0.1: What You Need To Know

The PCI Security Standards Council (PCI SSC) has published an update to the Payment Card Industry Data Security...

Sign Up for our Blog

We will never share your email address with third parties.