Global hotels are bolstering their modern authentication strategy to align with PCI DSS 4.0.1
People look to you for pleasure and so are the cyber criminals
As a hospitality organization, people turn to you for joy and to create a lifetime of happy memories through the services and experiences you provide. To build the relationship with customers and ensure you can deliver the highest level of service, collecting and storing sensitive information such as payment card data (PCI), personally identifiable information (PII), loyalty program details, reservation data, purchase history and other customer data is required. This accumulation of data that is often critical to operations is seen as a treasure trove to malicious actors, who continue to perpetuate data theft against this sector.
According to the 2024 Verizon DBIR report phishing, ransomware, and credential harvesting remain top threats to businesses within the sector. Both the industry and users are concerned about the potential for financial and reputational damage – so what is being done to protect sensitive PCI data that is being collected? This is where a modern authentication strategy can help your business and customer stay secure from continuously evolving cyber threats.
Protecting payment card data
The PCI Security Standards Council (PCI SSC) notes their mission is to bring together payment industry stakeholders to develop and drive adoption of data security standards. They hold organizations accountable around the world for implementing higher levels of cybersecurity to safeguard sensitive information and the payment ecosystem. PCI SSC phased in many sections of version 4.0 of the PCI Data Security Standard (DSS) as the aging v3.2.1 was retired this year. The PCI SSC continues to enhance the standard, as seen with the recently released v4.0.1, which will take precedence retiring v4.0 December 31 2024.
Although some new requirements may not take full effect until 2025, that's no reason to put them off. PCI DSS v4.0 was designed to address the emerging threat landscape like AI-driven phishing attacks, QR code phishing attacks (Quishing) and other sophisticated social engineering attacks.
PCI DSS v4.0 introduces a number of changes – specifically, 77 are marked as evolving and/or new requirements. Although there are several requirements of importance, we will focus primarily on two that can help protect you from the attacks listed above:
- Requirement 8: the mandate to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
- Requirement 12: sets forth guidance for an information security policy.
Ultimately, there is a great deal of importance and synergy between Requirement 8 and 12 that retail, hospitality and travel organizations should pay particular attention to in order to stay secure.
How PCI DSS v4.0 and v.4.0.1 defines MFA
Section 8 expands MFA requirements to include at least one factor for users and administrators (outside of the CDE) and at least two factors of MFA for all access into the cardholder data environment (CDE). This new guidance is consistent with NIST Special Publication 800-63 on phishing-resistant MFA. The Requirement specifically references the FIDO Alliance for guidance when choosing authentication factors.
As stated above the language in PCI DSS v4.0 specifically references the NIST SP 800-63 update on phishing-resistant MFA. These guidelines state that all MFA processes using shared secrets are vulnerable to phishing attacks — including common factors such as passwords, security questions, mobile-based authentication (SMS) and magnetic stripe cards. NIST defines strong MFA by its use of asymmetric key cryptography to protect against phishing attacks.
Hospitality organizations must now roll out phishing-resistant authentication for all access to the CDE and must consider carefully the authentication factors for other user and administrative access. Clarity provided by the 4.0.1 revisions cement the ability to comply with the standard when using a phishing resistant passwordless solution like a FIDO Security Hardware key.
Protect against phishing using phishing-resistance authentication
Understanding the increasing threat of phishing attacks to businesses globally, balancing their security programs efforts and enforcing the adoption of phishing-resistant MFA is the focus of many global regulatory agencies. Today the only two authentication processes that meet the above requirements of phishing-resistant authentication are PIV/Smart Card and FIDO2/WebAuthn.
Passkey, the new term for FIDO2/WebAuthn , has gained steam recently as the standard for replacing passwords and phishable MFA logins with more secure passwordless experiences. Device-bound passkeys, like hardware security keys such as the YubiKey, offer enterprises greater control of their FIDO credentials compared to synced passkeys which live in the cloud, and it means credentials on a smartphone, tablet or laptop can be shared between devices. All of these solutions meet and exceed the requirements laid out by the PCI Security Council in PCI DSS 4.0.1 Requirement 8.
How are Requirements 8 and 12 related?
Currently, the only exclusion to Requirement 8 is for those user accounts on point-of-sale (POS) terminals that have access to only one card number at a time to facilitate a single transaction. However, this is where we need to take a more careful look at Requirement 12 because your choice in authentication factors at every level has a huge impact on how easy or difficult Requirement 12 compliance will be.
Requirement 12 of PCI DSS details the need for an information security policy and programs, including user training, technical control oversight, and ongoing risk analysis. In combination with other areas of PCI (such as anti-phishing mechanisms), the goal of Requirement 12 is to create, manage, and enforce policies that can be understood and executed to address evolving threats.
One of those threats specifically outlined is credentials (12.3.1), which are vulnerable to external threat, misuse, or high staff turnover. Further, in instances where passwords/passphrases are used, the compliance requirements increase. In retail, this means checking the box for every new POS user that they have full understanding of information security standards, their purpose and how the employee is responsible for fulfilling them. By adopting a passwordless solution you ease this burden and make the user’s experience that much easier.
Breaches carry a high price tag (on average $3.82 million in hospitality for a breach) and costly consequences. So what should you keep in mind to make the case for authentication solutions to protect against breaches?
Below are some key takeaways for hoteliers to drive compliance to PCI DSS v4.0.1 with your authentication strategy:
- The weaker your MFA posture means: the greater your compliance burden, more user training, and more controls to manage risk.
- The solution: apply strong phishing-resistant MFA to all users using device-bound passkeys. In the long run, phishing-resistant MFA helps enterprises cultivate phishing-resistant users;providing authentication that moves with users no matter how they work across devices, platforms and systems
- It is worthwhile to make the business case for how phishing-resistant MFA can be used to bolster your PCI DSS v4.0.1 and v4.0 posture in order to effectively protect sensitive data and secure user access.
To learn more about meeting PCI DSS authentication requirements with phishing-resistant authentication check out this brief.