PCI-compliant payment processing: Tokenless two-factor authentication overcomes the compliance issuesSecurEnvoy 18/08/2014, Archive
Service companies in particular hold a large amount of customer data that requires a high level of protection. When storing information for processing payments, companies also have to meet special PCI DSS (Payment Card Industry Data Security Standard) compliance requirements. Amongst other things, these requirements stipulate that the company's internal system login cannot be protected with just a password alone. In this situation, tokenless two-factor authentication from SecurEnvoy offers the perfect solution. Employees receive a numerical code via SMS on their mobile phone, which they can then enter in addition to their password.
When processing payments, companies are subject to a number of compliance regulations. For example, the PCI DSS regulations stipulate the need for highly secure access to networks that contain sensitive information about credit card payments. In particular for employees who remotely access such a network, special requirements apply: in accordance with PCI DSS, logging in using only a password is not allowed.
Additional security at login
Companies must respond accordingly and establish additional security for network login. Two-factor authentication is perfect for this scenario. Many companies are unhappy that they may have to purchase expensive smart cards or other tokens for staff authentication. But there is a cheaper, secure alternative: tokenless two-factor authentication such as SecurAccess. With this solution, mobile phones are used instead of the conventional hardware tokens. When a user wants to log into the network, a six-figure numerical code is sent by SMS or e-mail. Soft-token apps for each major mobile platform are also offered at no extra charge. The password is entered together with the user’s personal login information to ensure unambiguous identification. The passcode is valid only once and expires immediately after it has been entered. For the next network login, SecurAccess sends the user a new number combination.
"SecurAccess uses mobile phones as tokens for a number of good reasons," explains Steve Watts, Sales and Marketing Director at SecurEnvoy. "Firstly, nearly everyone has a mobile phone or a smartphone and, secondly, everyone always has their phone with them. Hardware tokens often get lost or employees accidentally leave them at home. Not only does this incur replacement costs, it also hinders work progress because for a certain amount of time, employees cannot be authenticated and therefore cannot access the network. Hence, for service companies, passcode transmission via SMS is the cheapest and most efficient way to ensure PCI DSS compliance."