What’s Changing in PCI 4.0 Requirement 8?
If your contact center is subject to PCI DSS, you’ve heard about the updates to Requirement 8—those governing identity and authentication. These changes are designed to strengthen security and reduce the risk of unauthorized access. Here’s what you need to know:
- (Req. 8.4.2) Deploy MFA to everyone, everywhere – Multi-Factor Authentication (MFA) is now required for all accounts that access cardholder data, not just administrators. Every user, every login—no exceptions.
- (Req. 8.2.8) 15-Minute Session Timeouts – If an agent or employee is inactive for 15 minutes, they must re-authenticate before continuing work.
- (Req. 8.3.6) Increased password complexity and rotation – Passwords must be rotated every three months for contact centers that do not employ continuous identity verification.
The Problem: More Security, More Friction
These changes are great for security but will create friction for contact centers. Repeated MFA prompts slow agents down, and frequent timeouts disrupt workflows. Stricter password rules increase password fatigue, ultimately increasing helpdesk ticket volume and leading to workarounds like sharing credentials or writing them down—ironically weakening security.
The Solution: Continuous Authentication
The most common and accessible authentication methods—one-time MFA codes and static passwords—aren’t built for the contact center environment. Between meeting PCI requirements and balancing client requirements such as clean desk policies, conventional methods leave many gaps or simply do not meet regulatory standards. The answer? Continuous authentication powered by behavior.
Continuous authentication works by dynamically analyzing user behavior and verifying identity based on a user's typing and mouse movements, as well as other behavioral factors. This approach:
- Strengthens Security – Stops fraud, insider threats, and session hijacking before they happen.
- Simplifies PCI Compliance – Eliminates the need for disruptive reauthentication while meeting PCI’s MFA and session management requirements.
- Reduces Security Costs- Continuous MFA is 2.5x less expensive than hard tokens, and requires significantly less management than hardware solutions.
- Reduces Agent Interruptions– Ensures seamless authentication without slowing agents down, improving security and productivity.
Additional Resources For PCI
Twosense is dedicated to solving the problem contact centers face: with restricted devices, work-from-home agents, and PCI compliance to meet, continuous behavioral multi-factor authentication is the only scalable, always on solution for meeting and maintaining PCI compliance for contact centers.
To learn more, check out these additional guides:
Twosense Costing Saving Blueprint
A Blueprint To PCI 4 Multi-Factor Authentication
Becoming PCI 4 Compliant with Behavioral Biometrics
The Bottom Line
PCI 4’s new authentication requirements are huge but don’t have to be a huge headache. Continuous MFA lets contact centers stay compliant, protect cardholder data, and keep operations running smoothly without creating a security bottleneck.
Contact centers that adopt dynamic, behavior-based authentication can meet and exceed PCI 4 requirements while minimizing friction. The future of secure authentication isn’t just about stronger passwords and MFA—it’s about smarter, continuous real-time identity verification that happens automatically.
