Two-Factor Authentication in the PCI DSS Standard

Posted By Maxim Oliynyk on Oct 12, 2015 | 1 comment

The use of payment cards for the modern man has long been commonplace. But we do not always think about how extensive and complex is the work that was done by the companies which provide such services, how many diverse requirements they complied in order to give us the possibility simply to insert the card into the slot of the ATM and get our money or book the room in the internet before the vacation trip.

Meanwhile, getting the right to conduct transactions with payment cards is not the easiest task. In order to do this, the company must obtain a special PCI DSS certificate. It was designed by the PCI SSC – Payment Card Industry Security Standards Council. And it is obligatory for the company that wants to be considered a serious player in the market.

Reputable organizations and banks clearly refuse to cooperate with the company, which does not comply with the requirements of PCI DSS. Because it means that the company’s leadership does not properly care for data protection, and thus jeopardize the safety and reputation of their partners and customers.

What is the PCI DSS standard?

This document consists of twelve sections, each of which covers a specific requirement for the protection of information about card users.

Among them there are rules for:

• development, use and support of the payment systems structure;
• creation of a legal documents database accompanying these systems;
• providing adequate information security management etc.

However, the most vulnerable places in terms of the card transactions safety are secure network infrastructure and protection of user’s information stored by the company. After all, in the ‘client-server’ area there is the greatest risk that the transmitted data can be intercepted by fraudsters and used for their own selfish purposes.

That is why it is not surprising that the PCI DSS requirements focus on such an issue as user authentication. The system should be organized in such a way that in case of the client’s request for performing any action, it is possible to determine that this is the real card holder. The fact that a single password is not enough has not been a secret for a long time.

Therefore, a two-step authentication is used, which requires entering a specially created one-time code after the standard password. Typically, this code is sent with the text message to a user’s phone. But more convenient and reliable way for solving the problem of authentication is the usage of a token – a special device or program that generates one-time passwords, which may be provided by different providers of two-factor authentication.

The Protectimus company is among them. This method of OTP password receiving eliminates the possibility of data interception during telephone connection, at the same time password generation algorithms can be further improved (CWYS), which makes the task of the attacker much more complicated. Usage of the tokens is possible and convenient on any device, from which the transactions with the help of payment cards can be carried out.

Although adherence to PCI DSS standards requires quite significant efforts from the company, it will positively affect the company’s reputation and credibility. After all, even a long time ago the deal with the future partners was signed only after the investigations of each other based on the opinion of people who had absolute authority. And only if the reviews were favorable, if a potential partner had an impeccable reputation, the contract was concluded.

In the world of modern technology, we are rarely able to at least look into the eyes of a person to whom we trust our money or other material assets. How can we ensure that it will not be lost, and will not become a trophy of the “network pirates”? Strict compliance with the PCI DSS-standard could be such a guarantee. And one of the most important tools to achieve it is two-factor authentication.