PCI-compliance with tokenless 2FA
Date: Aug 18, 2014
Guest post: SecurEnvoy.
PCI-compliant payment processing: Tokenless two-factor authentication overcomes compliance issues.
Service companies in particular hold a large amount of customer data that requires a high level of protection. When storing information for processing payments, companies also have to meet special PCI DSS (Payment Card Industry Data Security Standard) compliance requirements.
Amongst other things, these requirements stipulate that the company’s internal system login cannot be protected with just a password alone. In this situation, tokenless two-factor authentication from SecurEnvoy offers the perfect solution. Employees receive a numerical code via SMS on their mobile phone, which they can then enter in addition to their password.
When processing payments, companies are subject to a number of compliance regulations. For example, the PCI DSS regulations stipulate the need for highly secure access to networks that contain sensitive information about credit card payments. In particular for employees who remotely access such a network, special requirements apply: in accordance with PCI DSS, logging in using only a password is not allowed.
Additional security at login
Companies must respond accordingly and establish additional security for network login. Two-factor authentication is perfect for this scenario. Many companies are unhappy that they may have to purchase expensive smart cards or other tokens for staff authentication.
But there is a cheaper, secure alternative: tokenless two-factor authentication such as SecurAccess.
With this solution, mobile phones are used instead of the conventional hardware tokens. When a user wants to log into the network, a six-figure numerical code is sent by SMS or e-mail. Soft-token apps for each major mobile platform are also offered at no extra charge. The password is entered together with the user’s personal login information to ensure unambiguous identification. The passcode is valid only once and expires immediately after it has been entered. For the next network login, SecurAccess sends the user a new number combination. continue reading…