The PCI DSS or payment card industry data security standard protects cardholder’s identities however does PCI DSS compliance mean your customers confidential data is well protected? Although there is requirement for strong security, technology is changing rapidly and attackers are becoming savvier. Malware is everywhere and the chance of interaction with an infected computer, whether company or client side, is inevitable.
There does not have to be a complete overhaul of the compliance standards but instead an addition. With so many consumer interactions being handled through mobile devices today an out of band one time password authentication process would eliminate many troubles without expensive burdens placed on the financial institutions.
PCI DSS compliance was developed by Visa, JCB, MasterCard and American Express and requires the implementation of two factor authentication. Authentication is required for any remote access to the network however there is no requirement for an out of band OTP. All that is required is 2 of 3 factors be present before an identity is securely authenticated. However if a password is transmitted it must only be encrypted using strong cryptography.
The problem with not requiring out of band authentication by utilizing a separate network for the OTP is that all operations of the authentication process are handled in one location. This leaves the process vulnerable to man-in-the-middle attacks where an infected computer or device is transmitting information and an attacker intercepts the transmissions.
Becoming more common in the media, man-in-the-middle attacks are often the way hackers gain access for data breaches. When only one device is used for identifying a user the ease of phishing information or implementing malicious software to gain identification information for authentication is relatively trivial.
By utilizing out of band one time password authentication the OTP is sent through a different transmission network such as the phone company’s network. This creates a problem for hackers since gaining access to both of the devices, the computer and mobile phone, can be a difficult task and beyond that being able to sync both hacked transmission networks to one owner would be almost impossible.
When you think about authentication security especially for an industry with as much value as financial verticals have, you want the strongest protection possible. Protecting you customer’s personal data goes beyond PCI DSS compliance because customer trust is the future of any business. By utilizing a smarter process you eliminate the chance that a weak link in the chain leaves you susceptible. Whether the client’s computer or the businesses computer is infected it would not matter, the attacker could only receive so much identifiable information for the authentication process.
When it comes to the customer a company does need protection through strong authentication, however, no expensive burden should be passed on to the client. Some out of band OTP authentication processes utilize proprietary tokens rather than mobile devices that have proven to be less than effective.
Some very large data breaches such as the RSA data breach have been attributed to tokens not utilizing truly dynamic passwords. Also the extra hardware to carry around and the expense associated with these tokens and their network does not make them a viable out of band one time password source.
By utilizing a mobile phone as the token device the user would not need to carry anything extra. SMS text messages also utilize an already existing infrastructure so there is no added cost of running a new network.
Even though PCI DSS compliance can benefit from out of band OTP authentication it does not mean a company could not offer stronger security that is seemingly inexpensive for its consumers. Not to mention that a data breach does not look well on your company record and could potentially destroy you business.