Frequently Asked Question
In what circumstances is multi-factor authentication required?
As of PCI DSS v3.2, multi-factor authentication (MFA) is also required for non-console connections to the CDE for personnel with administrative access (Requirement 8.3.1). This includes connections that originate from within the company’s internal, “trusted” network. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for further guidance on “administrative access” and “non-console access”.
The requirement to use multi-factor authentication for non-console administrative access to the CDE is limited to individuals with administrative privileges. It does not apply to non-administrative users nor does it apply to machine accounts, such as system or application accounts performing automated tasks.