MFA on all CDE access
Demonstrate that multi-factor authentication is enforced on all access points to the Cardholder Data Environment, including administrative, application, network, and database access, with no exceptions for privileged or service accounts.
Description
What this control does
This control requires multi-factor authentication (MFA) for all users, systems, and processes accessing the Cardholder Data Environment (CDE), including interactive logins, administrative access, and privileged accounts. MFA combines something the user knows (password), something the user has (token, smart card, mobile authenticator), or something the user is (biometric). This control prevents unauthorized access even when credentials are compromised through phishing, brute force, or credential stuffing attacks, serving as a critical defense layer for protecting payment card data.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is enforced on all access points to the Cardholder Data Environment, including administrative, application, network, and database access, with no exceptions for privileged or service accounts.
Associated risks
Risks this control addresses
- Attacker uses stolen or phished credentials to gain unauthorized access to systems storing cardholder data
- Insider threat actor with valid password but no physical token accesses sensitive payment card information
- Brute force or password spraying attack succeeds in compromising single-factor authentication
- Credential stuffing attack leveraging breached credentials from third-party sources gains CDE access
- Remote attacker exploits weak or default passwords on administrative interfaces without secondary authentication
- Malware harvests saved passwords and uses them to authenticate to CDE systems undetected
- Terminated employee retains knowledge of credentials and attempts unauthorized access after separation
Testing procedure
How an auditor verifies this control
- Obtain and review the network diagram and data flow documentation to identify all entry points and access vectors into the CDE, including VPN gateways, jump hosts, application interfaces, database connections, and administrative consoles.
- Retrieve authentication configuration exports from all CDE access control systems including Active Directory, VPN concentrators, privileged access management (PAM) solutions, database servers, and application authentication modules.
- Interview system administrators and review access control policies to identify all user roles with CDE access, including developers, database administrators, network engineers, and third-party vendors.
- Select a representative sample of user accounts across all identified access vectors and attempt test logins to verify MFA enforcement at the authentication layer, documenting prompts, token types, and authentication flows.
- Review authentication logs for a minimum 90-day period to identify any successful authentication events that did not include MFA validation, filtering for CDE system IP addresses and service accounts.
- Examine service account and API authentication mechanisms to verify certificate-based, key-based, or cryptographic MFA alternatives are implemented where interactive MFA is not feasible.
- Test exception processes by reviewing any documented MFA exemptions or temporary bypasses, verifying business justification, compensating controls, and time-bound approval workflows.
- Validate MFA enrollment completeness by comparing the inventory of CDE-accessing accounts against MFA system registration records to identify any accounts not enrolled in MFA.
Where this control is tested