Multi-Factor Authentication & PCI Data Security Standard 3.2
What is multi-factor authentication?
Multi-factor authentication is where two or more credentials must be used to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric. Previously in the PCI DSS, we required any untrusted, remote access into cardholder data environment to use “two-factor authentication” which is the equivalent of multi-factor authentication. Changing the naming convention simply provides consistency that it must be at least two credentials at a minimum.
The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network.
Why are these changes needed?
The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security
of the environment.
This will not impact machine authentication where one system is communicating with another as it is intended for personnel authentication; nor will it impact administrators accessing directly from the console.
To prepare for this change, organizations should review how they are currently managing authentication into their cardholder data environment, and review the current administrator roles and access to identify where changes to authentication may likely be impacted by the new requirement.
With a limited number of changes in PCI DSS 3.2, organizations will be able to focus attention on these type of critical controls, re-evaluate their current approach and address improvements that will help mitigate current points of attack.
For more information see PCI DSS 3.2
CryptoLocker & Ransomware: The Best Defense is a Solid Backup and Disaster Recovery Solution (BDR)
Ransomware is here to stay and will continue to plague businesses into the future. In order to provide fast recovery after an attack a managed
backup solution is key. Storagecraft is the BDR solution we provide to our managed service clients and in the case of attack our clients are protected and downtime is minimal. The only alternatives that businesses have after they have been infected is either pay the ransom, and hopefully get the key back, or delete all of the encrypted files. The rate of these attacks have been increasing and until there is a solid preventative solution that can detect and target ransomware the safest solution is backing-up on an hourly basis in case of an infection. This ensures minimal interruption if you are attacked and need to restore your files.
Contact your CTComp Account Executive or click here for a managed BDR solution.
Seminars & Events
Infrastructure and Security Technology Solutions for 2016
Join us at our CTComp and CASE Plantsville office for breakfast and see what other small- and medium-sized companies are looking to do for infrastructure projects in 2016. This can help you look at your own business and begin thinking about your upcoming IT projects for 2016-2017. We will explore strategic initiatives such as Server Virtualization, Storage Expansion, Data Encryption, Cloud Backup, Replication, Recovery, Perimeter Security, Video Surveillance, Wireless, Email Security & Compliance, Voice over IP (VoIP) & Video Conferencing Platforms, Windows 10, 100% Managed and Hybrid Managed Support Models.
June 8, 2016, Wednesday, 8:30 to 10:00AM
Web Application Development and System Integrations: Opportunities and Best Practices
A typical business utilizes many different applications often running on disparate technology platforms. Integrating separate but related applications helps organizations achieve greater levels of operational consistency, efficiency, and quality. Join us for breakfast at our CTComp and CASE Plantsville office as we discuss various approaches to and benefits of integrating user interfaces, data, and business processes across your systems. We’ll examine how the emergence of cloud-based platforms, such as Google and Salesforce.com, has opened up new opportunities for sharing information and business workflow with your web site, customer portals and mobile applications.
June 15, 2016, Wednesday, 8:30 to 10:00AM
Click here to register!
Connecticut Business Expo
The CT Business Expo is happening June 9th at the Connecticut Convention Center in Hartford and will be open from 9:00 AM- 4:00 PM.
Click here for more information.
Thank you for taking the time to read about what’s going on with CTComp.
The winner of our Q1 Giveaway was Rafael Avila of Whitney Center.