compliance-et-audit-reporting Created with Sketch. Datasheet (Compliance & Audit Reporting)
Access Authenticator Compliance Datasheet

REGULATIONS

PCI DSS

The GDPR

NY DFS (23 NYCRR 500)

Intro

Comply with Security Standards, Including PCI DSS

The latest version of the Payment Card Industry Data Security Standard requires multi-factor authentication (MFA) for all administrator access into the cardholder data environment (CDE), even from within a trusted network. MFA also simplifies compliance with mandates concerned with data privacy, like HIPAA and GDPR. Access Authenticator allows you to implement MFA across your environment, including systems like IBM i. Robust auditing and reporting capabilities make it easy to prove compliance.

PCI DSS and Access Authenticator

PCI DSS and Access Authenticator

Effective as of February 2018, the latest PCI DSS (Payment Card Industry’s Data Security Standard) 3.2.1 has expanded requirement 8.3 into sub-requirements to require multi-factor authentication for all personnel with non-console administrative access and all personnel with remote access to the Cardholder Data Environment (CDE), the environment/network/systems where cardholder data is stored.

Requirement 8.3.1

Requires organizations to implement multi-factor authentication for all local/internal network access into the cardholder data environment for personnel with administrative access.

Requirement 8.3.2

Requires organizations to incorporate multi-factor authentication for all remote network access to the cardholder data environment originating from outside the network.

These new requirements mandate that you not just use multi-factor authentication (MFA) to access the internal network from an external network, but it also requires that MFA be used when accessing the CDE from the internal network.  If the network is segmented, MFA can occur when accessing the secured network segment.  If the network is not segmented, it can occur when accessing the system on which the card data resides (e.g., IBM i). Organizations that have not implemented MFA in this capacity are out of compliance with PCI.

Powertech Access Authenticator can be inserted into the authentication process at multiple entry points: 

  • Directly accessing a critical system terminal
  • Remotely accessing a critical system from a user’s workstation environment (both internally and externally) 
  • Providing for API programmatic integration,for the use of MFA in conjunction with internal application flows

The GDPR and Access Authenticator

The GDPR and Access Authenticator

 

The GDPR and Multi-Factor Authentication (MFA)

Article 32: Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk...

The GDPR regulations do not specifically mandate multi-factor authentication, but your identity requirements have been expanded. Securing your data, detecting breaches, and reporting are all critical components of GDPR compliance. Weak, easily compromised passwords will grab the attention of your auditors and can have big financial ramifications if data is somehow compromised.

Organizations are using the GDPR as a springboard to eliminate traditional password only authentication while moving to a more secure and risk based multi-factor authentication framework. It does not matter if you are located in the EU or not, the requirements apply to any organizations that run data through an EU based data center or process personally identifiable information (PII) about EU citizens.

Implementing HelpSystems Access Authenticator will show your auditors that you are serious about protecting your data from both insiders and external threat actors and minimize the risk of fines for neglecting data processor obligations.

NY DFS (23 NYCRR 500) and Access Authenticator

NY DFS Cybersecurity Regulation (23 NYCRR 500) and Access Authenticator

In response to the ever-growing threat posed to information and financial systems, the New York State Department of Financial Services has passed regulation for organizations in the financial industry. Regulated entities are responsible for implementing cybersecurity programs that can match the relevant risks and keep pace with technological advances. A regulated entity’s cybersecurity program that must ensure the safety and soundness of the institution and protect its customers.

Several components of the regulation are imposed to prevent data from ever being exposed, including implementing multi-factor authentication solutions to mitigate the risk associated with lost or stolen credentials.

Section 500.12 Multi-Factor Authentication

(a) Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.

(b) Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

Powertech Access Authenticator provides a flexible and secure method of authenticating that users are who they say they are. Requiring physical tokens, biometric identification, or One-Time Passwords (OTP) when attempting to access critical systems protects the institution’s data. A malicious actor would not only have to compromise a legitimate user’s credential and password but also physically obtain possession of a token or biometrics  of the user themselves. While critical for externally generated access attempts, MFA should also be used internally to protect against malicious insiders who account for nearly one-third of reported data breach activity.

Get Started