Sarah Fender
Sarah Fender
There is a high degree of ambiguity among retail organizations regarding how to comply with certain requirements of the Payment Card Industry Data Security Standard (PCI DSS). There are, however, some PCI DSS sections that provide merchants with crystal-clear direction on how to achieve compliance. Among the straightforward sections is 8.3, which requires regulated merchants to govern employee and third-party remote access to corporate networks by using two-factor authentication.

Two-factor authentication requires users to authenticate to the network using two separate identification factors. These factors are typically something that only the user would know, such as a user-defined password, and something only the user would have, such as a security token or smart card. Due to the complexity of setting up and maintaining two-factor systems, many merchants have yet to implement two-factor for all of their remote access points and users. Although the 8.3 requirement is clear, achieving compliance with the requirement is not necessarily clear cut.

Merchants have traditionally relied upon security tokens that generate random passwords as their preferred method of providing a dispersed workforce with secondary authentication, or something they have. However, security tokens can be costly to deploy and a hassle to use. Security administrators understand firsthand what it takes in time and resources to manage, purchase, distribute, and inventory each device — not to mention the frustration of a retail manager in the field who is locked out of the network because he can't find his token or it just doesn't work.  

One new class of two-factor authentication solutions has emerged, however, using telephones. Phone-based solutions leverage something the user always has for the second method of identification, namely, access to mobile or landline phones. By utilizing an existing device, these solutions can be rapidly deployed to large numbers of geographically diverse users. Phone-based authentication can scale to meet the demands of retailers with seasonal staffing spikes and high turnover; integrates with commonly used personnel directories to simplify enrollment and support; eliminates the cost and time involved with purchasing and managing token inventories; is easy to deploy and use; and, most importantly, fulfills the requirements of section 8.3.

As more access points are enabled due to the increase in remote workers and the growing pervasiveness of mobile devices, the task of securing these access points becomes increasingly difficult. Add to that today's sophisticated threat landscape, which will drive stricter requirements for strongly authenticating users, and IT departments have quite the challenge. For many organizations, phone-based authentication provides strong security, meeting PCI DSS requirements today and in the future.