PCI DSS (Payment Card Industry Data Security Standard) is a standard aimed at helping organizations that handle credit cards keep their data secure. A number of card brands mandate that organizations that handle such data comply with the standard.
While the standard is quite vast, in this article, we will be looking at the implementation of MFA on WordPress websites within the implementation of PCI DSS.
MFA or 2FA?
PCI DSS makes Multi-Factor authentication a requirement, with a minimum of two factors (2FA) needed to achieve compliance. While these two terms are somewhat similar, understanding the difference between MFA and 2FA is important. As such, using two factors is enough to be compliant with PCI DSS requirements. However, there are some caveats, which we will discuss next.
When it comes to choosing which factors to include, it’s important to note that PCI DSS limits your options to three out of the five factors available in multi-factor authentication. These are:
- What you know
- What you have
- What you are
Of course, if you go above the required two factors, you can choose from the remaining two; however, at least two out of the three options listed above need to be implemented to achieve compliance.
Two-step or two-factor authentication?
Two-step and two-factor authentication are often used interchangeably; however, there is one significant difference. This difference is vital that it makes one compliant and the other one not compliant with PCI DSS.
We’ll start with what is common between these two methods. Both of them make use of two factors of authentication to authenticate users. The difference is how authentication happens.
In two-step verification, a user looking to authenticate will first complete the first authentication and once successful will move on to the next authentication step. In two-factor authentication, however, the user will not know if the first authentication factor was successful or not until completing all authentication factors.
PCI DSS requires two-factor authentication since this is considered to be more secure than two-step authentication. What this means is that the user trying to log in must not know if any of the authentications were successful or not until all are completed – at which point access is granted or denied.
Another point that PCI DSS stress is that of factor independence. Factor independence means that should one factor become compromised, none of the other factors become compromised as a result.
Let’s illustrate this with an example. A user uses the same username and password to log in to their email account as they do to log in to WordPress. They have opted to use OTP via email as their second authentication factor. In this case, there is no factor independence since if their email account gets compromised, the attacker would get access to both authentication factors.
While it’s impossible to prohibit users from using the same password for WordPress as they do for their email, discouraging it is doable.
One way to achieve this is by using WPassword – the password policy management plugin for WordPress. WPassword provides WordPress administrators with a fine degree of control over password length and complexity as well as lifetime – ensuring users are logging in with fresh and complex passwords.
One way to solve this problem in a WordPress environment is through out-of-band authentication. Using this method, authentication is sent through a different network than the one used to log in. To illustrate this with an example, a user logging in to WordPress from their PC should receive an OTP on their phone.
PCI DSS also highlights the importance of using different devices to receive the 2FA token and log in; something to keep in mind when setting your 2FA policies.
While 2FA provides an additional layer of security, it does not mean that all layers should not be protected as if they’re the only one. It’s essential to keep in mind that no system is 100% secure, and as such, precautions should be taken every step of the way to ensure the best possible security is in effect.
Passwords should abide by strict WordPress password security policies to ensure they are not easy to guess or crack. Adequate length and complexity by ensuring a healthy mix of characters remain the order of the day.
It’s equally important to educate users on the importance of security and the ramifications of a breach. Devices used for authentication, such as smartphones, should be sufficiently protected from access that may compromise the website’s security.
2FA beyond PCI DSS on WordPress websites
Whether you’re looking to achieve PCI DSS compliance or simply secure your WordPress website, 2FA should be on your WordPress security to-do list. Of course, when looking to implement 2FA to achieve compliance, you might need to take additional steps to ensure all requirements and obligations have been met.
Even so, PCI DSS is not the entity that requires 2FA. Industry titans such as Google are also rallying behind the technology, making it a requirement for their users – giving it a resounding vote of confidence that, when it comes to protecting your WordPress website, 2FA does its job.
Getting 2FA on your WordPress website
Configuring two-factor authentication on a WordPress website can be an easy and straightforward job when choosing WP 2FA. The plugin allows you, the website administrator or manager to deploy policies and make 2FA a requirement. Developed with the end-user in mind, the feature-rich plugin takes no technical expertise to set up without skimping on security.