Computer Login ScreenThe need for two-factor authentication travels well beyond PCI compliant hosting. Using two-factor authentication can help protect all kinds of data, from intellectual property stored within developer tools such as GitHub and MongoDB, to business proprietary data stored in CRM’s such as The purpose of this practice? To verify that all remote access to data and systems is secure and authorized.

However, for companies that interact with cardholder data, two-factor authentication isn’t just a smart move—it’s mandatory. The PCI DSS requires applicable entities to protect cardholder data environments (CDEs) in many ways, one of which is by limiting access to CDEs to only those who are authorized. But what exactly does two-factor authentication mean for PCI compliance? And why is it so important? Here is an easy breakdown of what the PCI DSS has to say about two-factor authentication, and why you need it.

What does the PCI DSS say about two-factor authentication requirements?

The need for proper authentication shows up in requirement 8 of the PCI DSS. (Requirement 8 is focused on identifying and authenticating access to system components.) Two-factor authentication specifically shows up in 8.3, which calls for entities to “[i]ncorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance).”

It should also be noted that the latest version, PCI DSS 3.1, updates part 8.2.4 to clarify that “passwords must be changed at least once every 90 days.”

What factors count toward two-factor authentication?

The PCI DSS states that two of the following three methods must be employed to qualify as two-factor authentication:

  1. Something you know, such as a password or passphrase
  2. Something you have, such as a token device or smart card
  3. Something you are, such as a biometric

So why can’t you use two of the same factors? Say, two secure passwords, or a fingerprint reader plus voice recognition? Because technically that’s two steps, rather than two factors. In other words, it uses the same method twice, which can be less secure than using two totally different methods in conjunction.

Why do you need two factors to authenticate a user?

The purpose behind two-factor authentication is rooted in the purpose of the PCI DSS itself: to create a safer, more secure cardholder data environment. Using two factors to verify the credibility of an individual helps ensure that that individual is authorized to access system components.


Learn More

To learn more about two-factor authentication, including what to look for in a data center with two-factor authentication, check out our Guide to Two-Factor Authentication.

To learn how OnRamp makes two-factor authentication part of its managed security services for compliance, check out all our Managed Security Services Features.