FAQ #1449 Diff

Is two-step authentication acceptable for PCI DSS Requirement 8.3?

Earlier Version
2018-08-14T00:00:00+00:00

Later Version
2026-01-21T10:49:46+00:00

Removed

Added

~~Two-step~~For ormore ~~multi-step~~information ~~authentication~~about ~~may~~multi-factor beauthentication, acceptable for PCI DSS Requirement 8.3, if all of the following conditions are met:

The authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smartcard
- Something you are, such as a biometric.

The authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

Referrefer to the Information Supplement: ~~Multi-Factor~~ Authentication Guidance, available under Guidance ~~Documents~~Document in the PCI SSC Document ~~Library,~~Library.
Our ~~for~~document ~~additional~~library ~~guidance~~can ~~and~~be ~~best~~accessed ~~practices.~~on our website at: https://www.pcisecuritystandards.org/document_library/

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.