PCI DSS Requirement 8.4.2 for multi-factor authentication (MFA) is not mandatory for access to in-scope system components outside of the CDE. If a user’s access to a system component can be used to connect into the CDE, then MFA is required.
For Requirements 8.3.9 and 8.3.10.1, passwords/passphrases are still allowed as “the only authentication factor for user access (i.e., in any single-factor implementation)” if all the following are true:
- The system component being accessed is in scope but is not in the CDE, and
- The system component is a connected-to or a security impacting system, and
- The user’s access to that system component cannot be used to connect into the CDE.
Passwords/passphrases may also be “the only authentication factor for user access” within the CDE, where a user has been granted access into the CDE via MFA, and is subsequently accessing a system component within the CDE.
If an entity has implemented MFA for access to all in-scope system components (including those in the CDE, and those that are connected-to or security-impacting system components), then the entity does not have single-factor authentication implemented for any in-scope system components. For such entities, the assessor can mark Requirements 8.3.9 and 8.3.10.1 as “not applicable.” For any requirements marked “not applicable,” QSAs are expected to follow the ROC Template instructions to confirm and document why “not applicable” is the appropriate response.
Refer to the following FAQ:
FAQ 1590: Do PCI DSS Requirements 8.3.9 and 8.3.10.1 apply to all system components?