Compliance in contact centers is experiencing a significant shift. PCI 4 becomes mandatory, in full, on March 31, 2025. While the standard was introduced in 2022 and went into effect in 2024, organizations were given a transition period to fully implement the new requirements, with several future dates dated March of this year.
What is PCI Requirement 8?
Requirement 8 focuses on identity and access management, ensuring only authorized users can access the Cardholder Data Environment (CDE). The key updates in PCI 4 introduce stricter authentication controls, particularly multi-factor authentication (MFA) and session management, which significantly impact contact centers handling payment data.
Key Changes in Requirement 8 for Contact Centers:
- Mandatory Multi-Factor Authentication (MFA): MFA is required for all employees accessing the CDE, network, and other relevant applications. This includes:
- MFA at initial network login
- MFA before accessing the CDE
- Additional authentication challenges for high-risk access
- Session Management & Timeouts:
- Workstations must lock after 15 minutes of inactivity.
- Users must re-authenticate after timeouts to regain access.
- Stronger Password Requirements:
- Minimum 12-character passwords with complexity rules (uppercase, lowercase, numbers, and special characters).
- Password changes are required every 90 days unless continuous authentication solutions that meet PCI’s dynamic security requirements are used.
Phishing & Authentication Security
Although not part of Requirement 8, it’s worth noting that PCI Requirement 5.4 mandates anti-phishing mechanisms to protect users against phishing attacks. These guidelines align closely with identity security best practices and reinforce the importance of phishing-resistant authentication:
- Employees must undergo security awareness training to recognize phishing attempts and social engineering tactics.
- Default passwords must be changed before deployment, reducing the risk of compromised credentials.
A PCI 4 Compliance Checklist for Contact Centers
- Implement MFA for all employees accessing the network, CDE, and other applications. MFA must include multiple factors. Behavioral biometrics are encouraged as a phishing-resistant factor that enables continuous identity verification.
- Ensure session timeouts lock inactive workstations after 15 minutes, requiring users to re-authenticate before regaining access.
- Deploy secure authentication measures, ensuring MFA challenges are manageable to prevent security friction while maintaining strong protection.
- Enforce password security policies, meeting PCI’s complexity and rotation requirements, including 12-character minimum passwords and periodic updates.
- Conduct employee security training on authentication best practices, phishing awareness, and secure credential management to reduce human error-related risks.
- Audit access control measures to ensure agents have only the necessary permissions based on their role, following the principle of least privilege.
- Monitor authentication logs or deploy a continuous authentication solution that detects anomalies and unauthorized access attempts, proactively identifying potential threats.
- Maintain clear documentation for recertification, tracking authentication measures, access control reviews, security training records, and MFA implementations to streamline audits and ensure ongoing compliance.
Reducing Security Friction with Continuous MFA
While PCI 4 strengthens security, frequent MFA prompts can disrupt workflows. Continuous authentication solutions, like Twosense, offer a seamless approach by continuously verifying user identity without repetitive challenges. This approach enhances security while reducing agent fatigue and improving operational efficiency.
Need Help with PCI 4.0 Compliance?
Twosense provides an automated, continuous authentication solution that eliminates security friction while ensuring compliance. Our solution requires no additional hardware and integrates seamlessly with your existing infrastructure.
