The recent data security breaches of point-of-sale systems at Target and Home Depot, which compromised over 90 million consumer payment cards, have drawn increasing attention to the need for two-factor authentication to protect access to company networks and ensure PCI compliance.

At the time of the breaches, however, two-factor authentication was already a core requirement for compliance with the Payment Card Industry Data Security Standards (PCI DSS) that both Target and Home Depot were legally required to meet. So how did these attacks occur, and what good are the PCI DSS standards if the regulations do not protect retailers and consumers?

Why PCI DSS 3.0 Requires Two-factor Authentication

The principle behind two-factor authentication is simple: rather than requiring only a password to gain access to a secured network or system, the user must also verify identity through a second authentication method, such as entering an SMS text code or a one-time password (OTP) that is sent to the user’s mobile device. Two-factor authentication may also take on other forms, such as hardware tokens that are connected to systems via USB, smart cards that are swiped by card readers, or software solutions that scan QR codes or receive OTPs for the purposes of verification.

By requiring something that the user knows, such as a password, plus something that the user physically possesses—such as a mobile device, hardware token, or smart card—two-factor authentication dramatically increases login security and makes it much more difficult for attackers to use brute force hacking, phishing, or malware to compromise user accounts.

In fact, PCI DSS 3.0 also recommends biometrics as one of the second authentication methods that merchants should consider, and this means that a fingerprint scan or voice recognition could be used for verification and thus take access security a step further.

PCI Compliance Requirements for Two-factor Authentication

In PCI DSS 3.0, the latest version of the Payment Card Industry’s standards, the requirements for two-factor authentication are made clear:

PCI DSS 8.3

Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

PCI DSS 8.3a and 8.3b – Testing Procedures

Examine system configurations for remote access servers and systems to verify two-factor authentication is required for:

• All remote access by personnel
• All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes).

Observe a sample of personnel (for example, users and administrators) connecting remotely to the network and verify that at least two of the three authentication methods are used.

Implementing two-factor authentication is a fundamental step in achieving compliance and deploying best practices for cybersecurity.

However, the PCI DSS apply only for user access to networks or systems that contain sensitive payment card information. Compliance is not required for protecting other networks and systems where direct access to consumer payment information is not involved. But if organizations focus only on compliance with PCI DSS and not on applying the same principles to access to all of their networks and systems, then they are inviting disaster.

The High Stakes of Payment Card Breaches

According to reports on the Target security breach, a third party HVAC vendor was the victim of an email malware attack that allowed cybercriminals to steal the vendor’s credentials, use them to compromise Target’s network, and ultimately deploy the malware that scraped payment data from Target checkout systems. The vendor did not have direct access to Target’s payment network, but the theft of the vendor’s credentials allowed the attackers to gain access to one network and ultimately use it to get into the payment network.

The resulting attack unfolded for weeks, from late November to mid-December of 2013, and it allowed criminals to steal over 40 million credit and debit card numbers. According to Krebs on Security, as of May of 2014, this had already led to a 46 percent drop in profits for Target in the fourth quarter of 2013, would cost Target $100 million to implement payment terminals for secure chip-and-PIN enabled payment cards, and had cost banks and credit unions $200 million to reissue cards.

Not surprisingly, the mounting financial losses and the damage to the Target brand also cost the company CEO and CIO their jobs, highlighting the personal and professional consequences that can also come from a successful attack.

A variant of the same point-of-sale malware was used in a more recent attack against Home Depot, which was revealed in September of 2014 and had gone undetected for five months. Home Depot has not identified the point of entry for the hackers who compromised its payment terminals, but deployment of malware on company networks almost always begins with stealing user credentials and using them to access the network and gain access to its systems. So, just as was the case with Target, Home Depot’s network access was likely compromised.

Where Target May Have Gone Wrong with Two-factor Authentication

It is unclear whether its HVAC vendor’s access to the Target network was secured with two-factor authentication. However, according to a former Target employee cited by Krebs on Security, Target rarely required vendors to use two-factor authentication.

The source told Krebs, “Only the vendors in the highest security group — those required to directly access confidential information — would be given a token, and instructions on how to access that portion of the network.”

If two-factor authentication was not used, this would be an obvious vulnerability that would allow attackers to easily compromise the vendor’s credentials and gain unauthorized access to the Target network.

But Avivah Litan, a Gartner fraud analyst also cited by Krebs, has speculated that Target may not have required two-factor authentication for vendors if it felt that it had sufficiently isolated its vendor portals from its payment network.

Since the PCI DSS apply only to access to payment networks and systems, if the vendor only had access to other networks or systems, Target would still be in compliance despite not requiring two-factor authentication for accessing those other assets.

“In fairness to Target,” Litan told Krebs, “if they thought their network was properly segmented, they wouldn’t have needed to have two-factor access for everyone. But if someone got in there and somehow escalated their Active Directory privileges … that might have [bridged] that segmentation.”

Why PCI Standards for Two-factor Authentication Are Not Enough

Unfortunately, as Target may have learned the hard way, PCI compliance and segmenting your networks and systems is not sufficient if your authentication requirements are compromised and attackers can gain access to any of your networks or systems. Just one compromised user account opens up a world of possibilities for further hacking and exploitation of IT security vulnerabilities. And, although Home Depot has still not revealed the exact procedure that was used to compromise its systems and install a similar version of the “Backoff” malware that was used against Target, weaknesses in authentication requirements are the most likely culprit.

Any organization that must protect consumer payment information, its own reputation, and its financial well-being cannot afford to make dangerous data security assumptions and protect only some of its networks or systems with two-factor authentication. This is why it is important for merchants to go beyond PCI compliance requirements and deploy better authentication security that will ensure that they do not become the next Target or Home Depot.

In addressing vulnerabilities and protecting your organization, we have identified five steps to achieving truly secure authentication:

Five Steps to Achieving Secure Authentication That Meets and Exceeds PCI Compliance Requirements

1. Require Two-factor Authentication to Access All Networks and Systems

Two-factor authentication should be required for remote access to all networks and systems, whether or not those systems contain consumer payment information.

Moreover, for the strongest possible data security, organizations should also consider deploying two-factor authentication to protect local network access and not just remote connections.

2. Avoid Vulnerable Two-factor Authentication Methods

When applying two-factor authentication, organizations should take care to avoid the most common methods, which technically ensure PCI compliance but still provide tremendous opportunities for attackers to compromise networks and steal consumer payment information.

As we explored in our past blog post, “Choosing the Best and Safest Method for Two-factor Authentication”, many of the most common verification methods, including those that meet PCI requirements, are ultimately unsafe and still highly vulnerable to a variety of cyberattacks and schemes. These threats include malware, man-in-the-middle attacks, SIM card cloning, and even hacking of hardware token providers.

3. Get Rid of Passwords and Sensitive Credentials

When deploying and integrating two-factor authentication for PCI compliance, organizations should avoid using passwords, which have been declared dead by leading security experts. Passwords, which enable the theft of credentials and invite attacks, should be eliminated in favor of advanced cryptography that replaces sensitive credentials with public key infrastructure (PKI). Eliminating passwords not only makes logins more secure and removes the primary incentive and basis for cyberattacks; it also alleviates the burden on users to remember and use long, complicated passwords that are ultimately useless for security once they are stolen.

4. Use PKI Authentication to Make It Impossible to Compromise Your Accounts

PKI authentication uses knowledge, possession, and/or biometrics to verify user identity and makes it physically impossible for attackers to steal credentials and use them to compromise user accounts. Passwords or other sensitive credentials are not use as part of the login process, so there are no credentials that are entered, transmitted, or stored on a server. Thus, there are no credentials for attackers to steal.

PKI also enables cloud or on-premise deployment of two-factor authentication with single sign-on capabilities and mobile authentication that greatly simplifies the login process.

5. Get Expert Advice and Implementation

Identifying the right solutions to ensure PCI compliance and protect consumer payment information can be a daunting challenge considering the number of options available and the number of networks, systems, and access points you may need to protect. Thankfully, the experts at SecSign Technologies can help.

SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a pioneer of cryptography solutions with more than 16 years of experience in developing public key infrastructure (PKI), electronic signature, and smartcard technologies. Our security experts and cryptography engineers have developed, deployed, and maintained systems that have successfully protected confidential business data and user access for numerous major corporations, including IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi.

Our security engineers can provide insight and assistance in deploying PKI authentication to achieve PCI DSS 3.0 compliance and protect consumer payment information. Contact us today to request a free consultation and to learn more about our SecSign ID solution for mobile two-factor authentication using public key infrastructure.