Maintaining Compliance With MFA

WRITTEN BY ISABEAU BOODY

Maintaining Compliance With MFA

Contact center operators have been tasked with the impossible: maintain PCI compliance by deploying multi-factor authentication (MFA) to every agent, for every application, all the time.

Not only is this difficult to achieve, there are also serious consequences to organizations that do not employ workable solutions.

For example, PCI non-compliance fines can vary from monthly penalties which range from $5,000 to $500,000, there can be legal action, and it can result in the loss of revenue.

When PCI compliance is not met, organizations also incur additional risks like reputational damages, which can also greatly impact their bottom lines.

Contact centers are often subject to strict regulations when it comes to what can and cannot enter an agent’s workspace due to the nature of the information being handled. This includes the prohibition of mobile devices, which almost all traditional MFA requires.

Moreover, email MFA, which is often the fallback used out of convenience, doesn’t meet the compliance standards required.

Even if it did, emailing a PIN is insecure if a workstation has been compromised. The primary security method, hardware tokens, are expensive and difficult to implement, and with churn at an all-time high in contact centers, this would leave management chasing down those tokens or having to deauthorize them individually, wasting both time and money.

With so many common MFA solutions unworkable in the contact center space, biometric authentication is the only path forward.

What is PCI Compliance?

Let’s look deeper at PCI compliance. The Payment Card Industry Security Standards Council (PCI SSC) launched a set of requirements in 2006 to ensure that organizations that are processing, storing, or transmitting credit card information maintain a secure environment to help prevent card payment fraud.

The original standards were only applicable to merchant processing but later were expanded to include encrypted internet transactions as well. These requirements became the Payment Card Industry Data Security Standard (PCI DSS), which is now a core component of almost all credit card companies’ security policies.

Though the PCI DSS is not the law, it does become a contractual requirement when partnering with any card company. PCI compliance standards require any business that processes, handles, or stores credit card data on behalf of a merchant to consistently adhere to the PCI DSS. These guidelines include 78 base requirements, more than 400 test procedures, and 12 key requirements.

As organizations that handle customer payment information, contact centers are subject to the PCI DSS v3.2.1 multi-factor requirement 8.3.1 that they must “Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.”

To see what qualifies as a factor for MFA, we need to look at PCI DSS MFA Guidance v1, which states:

“MFA requires at least two of the three authentication methods described in PCI DSS Requirement 8.2.

  • Something you have, such as a mobile phone or hard token
  • Something you know, such as a password, and
  • Something you are, such as a biometric.”

Contact Center-Specific Guidance

For contact centers, this is easier said than done.

In November 2018, the PCI SSC published “Protecting Telephone-Based Payment Card Data 3.0” to provide clarity on guidance for telephone-payment environments.

This document was intended to help contact centers better manage the risk of fraudulent activity and reinforce the fundamental principles associated with applying PCI DSS requirements and other best practices.

Section 5.1 “Risks and Guidance in Simple Telephone Environments” outlines two important requirements:

“Any customer database systems, third-party CRM applications, or order-processing systems into or through which account data is being processed, transmitted, or stored should be secured. Below, among other possible controls, examples of such controls include:

  • Ensure that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems which process Sensitive Authentication Data/Cardholder Data.
  • Require all personnel to use only company-approved hardware devices e.g., mobile phones, telephone handsets, laptops, desktops, and systems. This is especially relevant to remote/at-home working, ensuring that the entity can maintain control of systems and technology supporting the processing of telephone-based payment card data.”

That brings us to the physical controls component of PCI DSS. As stated earlier, many contact centers implement strict regulatory policies about what can and cannot enter an agent’s workspace.

Section 4.1 “Risks and Guidance in Simple Telephone Environments” states:

“Restricting the recording of account data is essential to maintain a secure environment. This may mean implementing processes to restrict access to: notebooks and pens, mobile phones capable of taking notes, any device that enables voice recordings, and where account data is input into a system any device capable of taking pictures.”

When these physical controls are implemented, it has a direct impact on the technology that can be used to secure data and authenticate agents such as MFA.

WAHA compliance

Contact centers experience the same issues with compliance and fraud with work at home agents (WAHAs) as they do with in-office agents. While prohibiting phones is impossible without constant surveillance, there are still reasons to avoid phone-based multi-factor authentication (MFA).

PCI auditors may not approve of multifactor solutions that require a mobile phone to use. Actively encouraging employees to have phones at their desks is not a best practice.

Additionally, agents may not have modern smartphones or reliable cell service or other infrastructure at their home offices. Call center candidates may expect cellphones to be provided by their employer if they are required for work.

Hard tokens have similar difficulties for WAHAs; there is a cost associated with purchasing, shipping, and reclaiming tokens from every employee. Time and money are wasted every time an agent is hired, quits, or is fired.

“Something You Have” Limitations

Because mobile devices are prohibited on the contact center floor, most traditional MFA is unworkable for organizations with contact centers.

Push-based solutions like Duo or SSO-included MFA like Okta Verify and OneLogin protect won’t work without phones. Similarly, TOTP (time-based one-time password) authenticator apps like Google or Microsoft Authenticator are also unavailable.

While hardware tokens like Yubikey are widely adopted among large enterprises, contact centers that have experimented with them quickly realized that issuing hardware to agents is both expensive and impractical.

Employees have a tendency to forget or break their hard tokens, and with 150% annual staff turnover, assigning and de-authorizing the tokens takes too much time and effort.

The logistics and security of managing hard tokens make them prohibitive, which means that “Something you have” is not a feasible option for contact centers.

While passwordless authentication is starting to pick up steam in other industries, it’s also unlikely that contact centers will be able to skip “something you know” while phones and hard tokens are off the table.

“Something You Are” Explained

How does a contact center go about implementing MFA that meets PCI DSS compliance standards while also complying with best practices such as restricting mobile devices? One solution highly favored by the U.S. Government and security professionals alike is biometric authentication.

Biometric technology today has become increasingly versatile in its applications – and whether you realize it or not, biometrics are something that most of us use daily. Facial recognition is pervasive on social media and fingerprint readers keep the confidential information on our mobile devices secure.

Traditional “active” biometrics like fingerprint or hand readers, retinal scanners, and facial recognition require some sort of user participation; the user must stop what they are doing to let some part of their body be scanned.

Active biometrics also require specialized hardware. Laptops must be custom-ordered with fingerprint readers, or USB fingerprint scanners must be issued to agents alongside their computers. Organizations may find that some of their agents simply can’t be scanned: some individuals have fingerprints that cannot be read or even fingerprinted.

For facial recognition, webcams have to be available on every device and must be enabled and unobstructed for an agent’s entire workday. Webcam-based biometrics are also frustratingly error-prone; on average, 3% of any user population will be unable to use facial recognition-based authentication.

Incorporating Behavioral Biometrics

While retinal scanners and fingerprint readers have been around for decades, behavioral biometrics are a more recent technology that allows for a much better user experience.

Behavioral biometrics are a form of passive biometrics that measure something that is intrinsically part of an individual.

Behavioral biometrics take into consideration the way a user types, the rhythm with which they use a keyboard, their stride and footfall, or the gestures they use when scrolling on their phone.

These behaviors are produced instinctually, and a collection of behavioral factors can identify a user just as surely as their fingerprints can.

Behavioral biometrics are distinct from traditional active biometrics like fingerprint scanners in that no participation is required by the users. The “passive” collection of behavioral biometric data is both completely invisible to the users and can be done continuously throughout the day.

With behavioral biometrics, users can be “challenged” repeatedly without ever realizing it, which means that they can skip the 15-30 second delay that traditional MFA requires. Interrupting agents less means higher productivity, less frustration, and more time spent on the phone with customers.

Because a user cannot be called or emailed and tricked into granting access, behavioral biometrics are also recommended by the recent Biden administration executive order M-22-09, which mandates “phishing resistant” MFA:

“Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.”

When it comes to MFA, behavioral biometrics provide both the best user experience and the most security; passwords can be stolen, tokens phished, but behaviors cannot be fabricated.

Does PCI Consider Behavior a Factor?

While PCI guidance recommends biometric authentication, it does not specifically define what is considered a biometric factor. For that, PCI DSS relies on the National Institute of Standards and Technology (NIST) for guidance. PCI DSS MFA Guidance v1 states:

“PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry.”

The MFA Guidance document links specifically to NIST Special Publication 800-63, which defines the term biometrics in the following way:

“Biometrics: Automated recognition of individuals based on their biological and behavioral characteristics.”

Here, NIST clearly labels behavior as a biometric, which is in line with their current approach to Zero Trust. NIST advocates for behavior as a factor across the board, with NIST Special Publication 800-207 Zero Trust Architecture as a prime example. This is also in line with international regulation, where behavioral characteristics have been approved by the U.K. ICO as a strong authenticator for EU payments regulation PSD2.

Simply put, biometrics measure something that is intrinsically part of an individual. This includes how a user behaves when they interact with a computer. Without a viable “something you have” in the contact center, biometrics is the only solution to PCI MFA compliance.

Fortunately, there are vendors that provide behavioral biometric technology that meets PCI requirements, enabling organizations that have contact centers to deploy an MFA solution without the need for a mobile phone, a hard token, or any additional compensating controls that an auditor may be skeptical of.

Better Security, Better Experience

While getting an organization up to PCI compliance standards may seem like an impossible mission, it is worth the time and effort. Organizations not meeting PCI standards subject themselves to potential data breaches that can result in theft or fraud. Not only do data breaches have negative impacts on the reputation of businesses, but they can also impact their bottom lines.

Because mobile devices are prohibited on the contact center floor and hard tokens are not viable, the “something you have” piece of most traditional MFA is unworkable for organizations with contact centers.

The only path forward must be a combination of “something you know” (password) and “something you are” (biometric) to achieve MFA.

Implementing behavioral biometric MFA is a proactive measure that meets PCI compliance requirements, provides increased security for the organization and the customer, and allows contact center agents to spend more time helping customers.

Isabeau Boody

Isabeau Boody is the Marketing Manager at Twosense. Twosense automates the challenge-response of multi-factor authentication on behalf of its users so they can avoid frustrating interruptions. This allows IT departments to implement stricter and more secure MFA policies without sacrificing the user experience. Developed in partnership with the U.S. Department of Defense, Twosense uses machine learning to drive passive biometrics that can guarantee a user’s identity continuously throughout the day.