Excerpt from Authentication and PCI DSS by Dan Fritsche, CISSP, Founder and CEO of Alpine Security Consulting
When the average executive is asked about the highest risk in their cybersecurity posture, it’s not surprising that many identify “people” or “an employee” fairly quickly. You can invest in all kinds of education programs, expensive security technology and security solutions, and possibly even implement them effectively, into an enterprise program and within a hardened environment. However, getting people and employees to consistently behave in a secure manner is more difficult.
If you then ask the average employee in that company, including their executives, what they struggle with the most, or what they dislike while meeting their responsibilities in the company’s cybersecurity practices and policies, invariably the answer is “managing passwords!” If you look at the number of compromised passwords on the internet, the only people left who have not had one or more of their own passwords stolen are those that don’t use technology.
You may wonder about the following question: Why are passwords still so commonly used when most cybersecurity experts would agree that they are inherently one of the riskiest parts of any cybersecurity system? There are certainly no easy answers to this question, and removing passwords may seem like an impossible task in itself. After all, passwords have been the authentication technique of choice for over 50 years. Most standards and regulations contain some level of minimum requirements for passwords to meet. As an example, PCI DSS 3.2.1 currently says a password must have a minimum of 7 characters and use an alpha-numeric character. So, “password1” is ok – not exactly an ideal baseline. Most organizations go far beyond this minimum, but what if there was no password at all—would it then fail a PCI DSS assessment? What if there was the possibility to meet PCI DSS’s MFA requirements, and do so with no passwords? Imagine the ability to remove one of the weakest cybersecurity links and improve authentication at the same time! Put another way, consider protecting your most critical data and limiting what cyber criminals can do in your environment, in a way that both reduces your cyber risk and meets whatever compliance standards your organization needs to meet. This is what passwordless MFA and continuous authentication can offer.
Which then is the larger risk, people, or passwords? When it comes to authentication, it’s both – people using passwords. The ability to let people authenticate continuously without passwords is now possible and doing so correctly will increase security while meeting the intent of today’s standards and compliance requirements.
Learn more in this paper exploring PCI DSS and continuous authentication.
Meeting the Payment Card Industry Data Security Standard (PCI DSS) is crucial to enterprises managing credit card information. Without it, security systems and the people within it are at risk for credit card fraud, breach, and theft of sensitive information.
Alpine Security Consulting has evaluated Acceptto's solution in the following report, describing our above-and-beyond compliance with PCI DSS. Our MFA solution provides additional layers of security for our partners, users, and critically, credit card information.
Your enterprise can let us do the heavy lifting for card security, while you conduct the business.