PCI 4 brought sweeping changes to payment security when it took effect in April 2024. But compliance isn’t a one-time event, and we’re quickly approaching a critical new phase: the future-dated requirements that will become mandatory after March 31, 2025.
For BPOs and their customers, these changes represent a significant shift in how identity, authentication, and session management are handled—especially under Requirement 8, which focuses on multi-factor authentication (MFA) and secure access controls. The coming updates will demand higher security and pose serious logistical challenges for underprepared security teams.
Key Upcoming Changes for BPOs
- Increased MFA Challenges
Every individual accessing systems that interact with the Cardholder Data Environment (CDE)—agents, vendors, admins, and third parties—must authenticate multiple times. Completing MFA once for VPN access isn’t enough; additional challenges will be required to access the CDE and other applications. This creates added layers of complexity, especially in fast-paced environments like contact centers.
- Shortened Session Timeouts
After 15 minutes of inactivity, NIST-standard session timeouts will force users to re-authenticate. This affects everything from VPN connections to CDE access, disrupting workflows and requiring robust MFA solutions that balance security with usability.
- Frequent Password Rotations
Passwords must be rotated every three months for BPOs that do not employ continuous identity verification. This is cumbersome for agents and third parties and risks increasing password fatigue and associated vulnerabilities like reuse or poor storage practices.
The Impact of These Requirements
For BPOs, without the right solutions in place, these new standards mean tighter controls while also introducing operational challenges:
- Time and Resource Strain
Repeated MFA challenges, managing user passwords, and coordinating with clients for compliance will increase IT workloads.
- Higher Risk of User Frustration
Agents already balancing heavy workloads will experience increased security friction with frequent session terminations and authentication prompts. This could lead to inefficiencies or, worse, attempts to circumvent controls.
- Increased Complexity in Vendor Management
With the added responsibility of ensuring vendor and third-party compliance, BPOs must rethink their access control strategies to streamline processes without compromising security.
Behavioral MFA Provides A Better Path Forward
Traditional MFA methods—like SMS codes, phone-based apps, or hardware tokens—are ill-equipped to handle the demands of contact centers under PCI 4. Behavioral MFA, however, offers a compliant, seamless, and scalable alternative:
- Continuous Authentication
Twosense leverages machine learning and behavioral biometrics to contact center workforces by analyzing typing patterns and mouse movement. Behavioral MFA validates users continuously, eliminating the need for repeated challenges after short timeouts, and guarantees that only authorized users have access to the CDE.
- Reduced Security Friction
Behavioral MFA removes the reliance on passwords entirely, sidestepping rotation requirements and reducing friction for agents and admins alike.
- Streamlined Compliance
Designed for contact centers' unique needs, BPOs can comply with future-dated PCI DSS 4.0 requirements while reducing the administrative burden on IT teams.
What’s Next
Over the next four weeks, we’ll look at these upcoming requirements again and how they’ll affect BPOs and their clients. We’ll break down:
- How new MFA requirements and session timeouts will impact contact center workflows.
- Why password rotations pose a challenge for contact centers and their clients.
- The benefits of continuous identity verification in meeting PCI compliance.
- How Behavioral MFA can provide a secure, cost-effective solution tailored to your operations.
Stay tuned as we explore how to turn PCI 4 challenges into opportunities to strengthen security, simplify compliance, and breach-proof your contact center’s authentication strategy.