PA-DSS 11.2 Remote Access

[manukabay]

I've got a software vendor who has built in two-factor authentication in their payment application because of PA-DSS 11.2. The application is an interface to payment gateways and looks a lot like a payment gateway itself. The web application in question allows the merchant to setup the login information to their payment gateway, capture payments, review transactions, etc. No card data is stored or displayed to the merchant. The login to this interface is where they built in a One Time Pad in conjunction to the user id and password. Its causing a lot of trouble for their customers and it doesn't seem like its really required to me.

PA-DSS 11.2 states:

"11.2 If the payment application may be accessed remotely, remote access to the payment application must be authenticated using a twofactor authentication mechanism."

This is derived from PCI-DSS 8.3. PCI-DSS 8.3 refers to remote network-level access which I don't believe includes things like logins to typical web-based payment applications.

I don't know of any payment gateways that require two-factor authentication for similar functions. The vendor is saying that unlike PCI-DSS, PA-DSS doesn't say network-level access so all remote access requires 2FA so they had to build it in.

I think they have gone overboard on this. Opinions?

[jbhall56]

Quote:

Originally Posted by manukabay

This is derived from PCI-DSS 8.3. PCI-DSS 8.3 refers to remote network-level access which I don't believe includes things like logins to typical web-based payment applications.

Two factor authentication under PCI DSS requirement 8.3 is required for any personnel that have access to bulk cardholder data when remotely connected. That remote connection could be through a Web application, a VPN or any other remote connection method.

Quote:

Originally Posted by manukabay

The web application in question allows the merchant to setup the login information to their payment gateway, capture payments, review transactions, etc. No card data is stored or displayed to the merchant.

Sorry, but you lost me. You say the merchant cannot display cardholder data, yet they can capture payments and review transactions? That seems to imply that merchants do have access to cardholder data through this site. If there is cardholder data here, then two factor authentication is required.

Quote:

Originally Posted by manukabay

The login to this interface is where they built in a One Time Pad in conjunction to the user id and password. Its causing a lot of trouble for their customers and it doesn't seem like its really required to me.

If the question before this one confirms that cardholder data is stored or accessible then two factor authentication would be required. A one time PAD would meet the "something a user has" requirement of two factor, so they would be compliant with the PCI DSS and the PA-DSS.

Quote:

Originally Posted by manukabay

I think they have gone overboard on this. Opinions?

Depends on the your answer to my earlier questions as to whether or not they have gone overboard.

[manukabay]

Quote:

Originally Posted by jbhall56

Two factor authentication under PCI DSS requirement 8.3 is required for any personnel that have access to bulk cardholder data when remotely connected. That remote connection could be through a Web application, a VPN or any other remote connection method.

Good description of the requirement. I sure wish the PCI-DSS and the SSC FAQ said it so succinctly and clearly. OTOH, my vendor won't look at the PCI-DSS when interpreting the PA-DSS. Their view is the PA-DSS just says remote access therefore its all remote access.

Quote:

Originally Posted by jbhall56

Sorry, but you lost me. You say the merchant cannot display cardholder data, yet they can capture payments and review transactions? That seems to imply that merchants do have access to cardholder data through this site. If there is cardholder data here, then two factor authentication is required.

They can capture, void or credit previously authorized transactions or enter transactions like in a typical payment gateway - one at a time and not in bulk. No card numbers are stored they are just passed on to the real payment gateway and the response stored. Therefore reviewing transactions doesn't include the card number just amount, transaction ID, status, etc. Since its not bulk and its interface provides the same type of access as payment gateways I assume that 2FA isn't required. None of the payment gateways I have used or looked at require it.

Quote:

Originally Posted by jbhall56

If the question before this one confirms that cardholder data is stored or accessible then two factor authentication would be required. A one time PAD would meet the "something a user has" requirement of two factor, so they would be compliant with the PCI DSS and the PA-DSS.

Depends on the your answer to my earlier questions as to whether or not they have gone overboard.

I understood your first statement about bulk cardholder data access requiring 2FA. But I'm not sure I understand "cardholder data is stored or accessible". Payment gateways don't require 2FA for access yet they store card numbers. So is storing cardholder data sufficient to require 2FA for a web application even if card numbers aren't displayed? Does one card number at a time access via a web application require 2FA? I believe some payment gateways allow this without 2FA though most payment processors turn this off unless a merchant shows a strong need for it.

Even if bulk cardholder data was accessible via the web application I wonder if 11.2 really requires it built into the application. The test for 11.2 says:

"If the payment application may be accessed remotely, examine PA-DSS Implementation Guide prepared by the software vendor, and verify it contains instructions for customers and resellers/integrators regarding required use of two-factor authentication (user ID and password and an additional authentication item such as a smart card, token, or PIN)."

11.1 just before that is to verify that the application won't interfere with the use of 2FA.

So I understand there might be a need for 2FA depending on access to cardholder data but does PA-DSS really require that the application provide the 2FA? Or just that the implementation guide document the need for 2FA and its up to the merchant to provide the 2FA method as part of PCI_DSS compliance? Looking at a couple of other certified payment applications on the PCI-SSC list it seems like they are going with the latter. I certainly would prefer buying an appliance or software from a security vendor for 2FA over something built into my payment application.

[jbhall56]

Sorry for any confusion.

Based on your description, you are correct that two factor authentication is not required in this case of remote access. Since the merchant does not have access to bulk cardholder data, they do not need to be authenticated using two factors.

That said, one thing we did not discuss is whether or not the application does appropriate logging of activity. Since they followed the PA-DSS, I am assuming they perform appropriate logging of all activity performed through the site. However, the more I work with service providers, the more I'm finding holes in their logging.