PCI Section 8: MFA And The British Airways Attack

By Zach DeMeyer Posted October 3, 2018

PCI Section 8: Multi-factor Authentication and the British Airways Attack On Image of a Plane

This September, British Airways (BA) was the victim of a major cyber attack. Around 380,000 customers of the largest airline in the UK had their sensitive information compromised. Besides the customers’ names and email addresses, the bad actors behind the attack made off with these unfortunate people’s credit card numbers, expiration dates, and security codes (e.g. CV2, CVV). After investigating the breach, researchers found that the hacking group responsible, Magecard, used a web-based credit card skimmer to intercept BA customer data. Upon second review, however, the British Airways’ website was found to not be PCI DSS compliant. In light of this, we will discuss the related requirement of PCI DSS compliance, PCI Section 8. Namely, we will focus on how to achieve compliance with strong identity security and multi-factor authentication.

What is PCI Section 8?

PCI DSS Section 8 states that users who are permitted into a Cardholder Data Environment (CDE) must have authorized identities. While it may seem straightforward to only sanction access to the correct people regarding sensitive data of a CDE, the truth is a bit more tricky. In the case of the British Airways breach, the dissidents at Magecard managed to bypass the authorization process through some method and install their skimmer script. While the actual method of bypass is still unclear, one can assume that the attack could have been due to poor identity security.

Multi-factor Authentication for Stronger Identity Security

While there are several methods for improving identity security, an up-and-coming solution is multi-factor authentication (MFA). MFA leverages several different techniques depending on its implementation, but the end goal is still the same. By using an additional step in the authorization process, be it a TOTP (time-based, one-time password) key or a physical login token USB, the chance of an identity being compromised is decreased dramatically. In their report on MFA, Symantec found that 80% of security breaches in the last several years would have been stopped via MFA.

At JumpCloud®, we believe that strong identity security starts with a strong directory service, like Directory-as-a-Service®. Creating a secure identity database and managing the permissions of those identities is essential for achieving PCI Section 8 compliance. Add in additional layers of security such as MFA and others and you have a greater chance at rebuffing would-be breaches.

Directory-as-a-Service®: PCI Section 8 Compliance & MFA

Coalfire PCI DDS Compliance Review Cover

Although it’s easy to just say “do this and be PCI Section 8 compliant,” JumpCloud decided to put our money where our mouth is. We asked the independent cyber risk management advisory, Coalfire, to put Directory-as-a-Service to the test. Coalfire put the cloud-based directory service through the rigors of a PCI DSS Section 8 and 10 compliance review to see just how the platform fared.

After the smoke cleared, Coalfire found that when properly implemented, the Directory-as-a-Service product is, in fact, more than capable of providing coverage for the requirements of PCI Section 8. They also found that JumpCloud can help an organization with  Section 10 compliance as well. You can see the results for yourself in Coalfire’s whitepaper on the topic.

Additionally, regarding identity security, JumpCloud enables multi-factor authentication on Mac® and Linux® devices, with support for Windows® systems coming soon. By leveraging JumpCloud, you can better protect your user identities with confidence. Ultimately, when it comes to creating more secure user identities, JumpCloud Directory-as-a-Service makes life easier and secure, and ultimately, Makes Work Happen™.

Make work happen with Directory-as-a-Service
Try Directory-as-a-Service

JumpCloud directory-as-a-service

Explore your identity security options with JumpCloud, and sign up for Directory-as-a-Service today. Not only is signing up free, but your first ten users in the platform are au gratis for life. You can learn more about JumpCloud by contacting us, exploring our blog, or watching some videos on our YouTube channel.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts