Multifactor Authentication: Protecting Your User Account
Because CBOSS transmits and stores credit card data, we’re subjected to annual security audits aimed at ensuring that we’re following and adhering to the Payment Card Industry Data Security Standard (PCI-DSS). In addition to the audit, we’re subjected to periodic third-party scans of our networks to validate we’re not exposed to vulnerabilities.
PCI-DSS 4.0 and Protecting Your Customers' Data
The most recent version of the PCI Data Security Standard (PCI-DSS) was released in March of 2022 by the PCI Security Standards Council. CBOSS is currently audited to version 3.2.1, but we are diligently preparing for the necessary changes to meet version 4.0 requirements in 2024.
While the main focus of the standard is to protect credit card data, CBOSS combines other sensitive data into its security program including bank account information for electronic check transactions, personal identifiable information (PII), and user accounts for our CPP line of products, to name a few.
With respect to user accounts, CBOSS follows and maintains processes for ensuring users are segmented in the data they can both view and edit through role-based access control. This includes user accounts for CBOSS personnel who support our clients, perform billing functions, and the like. Customer and CBOSS users are prevented from directly accessing payment information.
Currently, user accounts for the CPP line of products enforce minimum requirements for password length, complexity, and duration of life (currently 90 days). Moving forward, these password requirements will become more rigid, but that’s not the focus of this article.
Using MFA to Combat Fraud
The rise in email phishing campaigns, social engineering tactics, and other malicious practices has drawn more attention beyond password requirements. Threat actors exploit a number of methods to compromise user accounts. Regardless of their intent, they’re always looking for ‘the easy way in.’ It is our collective duty and responsibility to thwart all malicious activity.
The protection of customer data is our first priority and CBOSS will continue our diligence in the interest of customer and client security. As such, CBOSS will be rolling out Multi-factor Authentication (MFA) across its product offerings in 2023. In short, MFA is another layer of security for protecting a user account. You’ve likely experienced the use of MFA in other services you use both in your employment and personal life.
While CBOSS is initially rolling out MFA as an opt-in program, we encourage and recommend you opt-in. We’re currently in the planning stage of this release and are considering a handful of options to make your experience as seamless and user-friendly as possible – and without compromising security. We also encourage you to reach out to us if you feel you can offer some input for any MFA solution options. For example, if your organization has already implemented one of the MFA solutions below, we’d be happy to hear from you.
- Duo Mobile
- Other FIDO2/WebAuthn Device
- Twilio Authy
If I may reiterate content from a previous CBOSS blog post, “Special note on MFA selection: Many organizations are attracted to options like SMS or text messaging to add MFA to their systems. The appeal comes from the ease of configuration, and low cost of implementation. A word of caution though, SMS is considered a weak form of authentication, due to the large number of exploitable vulnerabilities all throughout the SMS platform. For this reason, the PCI DSS does not consider SMS a viable option for adding MFA.” – Mike Lendvay
For your reference, here’s a link to an article describing multi-factor authentication.