Frequently Asked Question

No. PCI DSS Requirements 8.3.9 and 8.3.10.1 do not apply to in-scope system components where multi-factor authentication (MFA) is used.

Requirements 8.3.9 and 8.3.10.1 apply if passwords/passphrases are used as part of a single-factor authentication implementation; neither of these requirements apply to in-scope system components where MFA is used.

PCI DSS v4.x Requirement 8.3.10.1 is like requirement 8.3.9, except that it is specific for "service providers only" and for access by service provider customers. Both requirements 8.3.9 and 8.3.10.1 specify that, if passwords/passphrases are used as the only authentication factor for user access** (i.e., in any single-factor authentication implementation), then either:

• Passwords/passphrases are changed at least every 90 days or
• The security posture of accounts is dynamically analyzed, and real-time access to resources automatically determined accordingly.

If an entity has implemented MFA for access to all in-scope system components (including those in the CDE, and those that are connected-to or security-impacting system components), then the entity does not have single-factor authentication implemented for any in-scope system components. For such entities, the assessor can mark Requirements 8.3.9 and 8.3.10.1 as “not applicable.” For any requirements marked “not applicable,” QSAs are expected to follow the ROC Template instructions to confirm and document why “not applicable” is the appropriate response.

Refer to the following FAQ:

FAQ 1591: Why do requirements 8.3.9 and 8.3.10.1 focus on passwords/passphrases used for single-factor authentication, when multi-factor authentication is required for all access into the CDE?