SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How to Go Password-Less Under PCI DSS v4.0 Blog Feature
Salvatore Butera

By: Salvatore Butera

Print/Save as PDF

How to Go Password-Less Under PCI DSS v4.0

Payment Card Assessments

Across the current digital economy, more and more are going passwordless—with tech conglomerates like Apple, Microsoft, and Google leading the way, organizations are pivoting to other cybersecurity solutions to better secure information and simplify workflows. But replacing passwords with alternatives successfully also means accounting for extended related factors—including those that could impact your PCI DSS compliance.

As cybersecurity experts, we’re privy to the many versatile implementations organizations make to safeguard their assets, as well as the requirements those implementations must meet to satisfy diverse compliance frameworks.

In this blog post, we’re going to focus on PCI DSS—we’ll discuss the advantages of removing passwords from your authentication methods as well as how you’ll need to mitigate the resulting impact on your PCI DSS compliance.

 

The Danger of Credential-Based Attacks – The Upward Trend of Passwordlessness

 

If you’re among those considering going passwordless, you’re not alone nor is the idea meritless as credential-based attacks continue to threaten our ever-growing digital footprint.

According to IBM’s X-Force Threat Intelligence Report, credential-based attacks increased by 71% from 2022 to 2023, and that significant increase was driven by phishing, brute force, and social engineering-based tactics. Compromised valid accounts also represented nearly a third of the incidents that X-Force responded to in 2023.

No doubt this is due to the immense value of credentials on the dark web. Not only can hacked logins be used in malicious ransomware attacks, identity theft, and account takeovers but credentials can also be sold for further exploitation. Plus, if your personnel often reuse usernames and passwords across platforms, threat actors can attempt to use stolen credentials from one to gain unauthorized access to other sensitive systems.

All this should definitely raise internal password policy concerns, as successful credential-based attacks can have devastating consequences—e.g., corporate espionage, and significant financial and reputational damage. For the same reasons, organizations are also shifting toward an approach that removes passwords from the attack surface altogether.

Should You Go Passwordless?

We are often approached by clients regarding the implementation of passwordless authentication strategies, and there are advantages to be gained, including:

  • Stronger Security: With password vulnerabilities eliminated, your organization is less susceptible to phishing, credential stuffing, and similar attacks.
  • Improved User Experience: Common security alternatives to passwords—like biometric login or one-time codes—are not only often much quicker than typing in passwords, but they free your personnel from the burden of having to remember or reset passwords.

Of course, there are drawbacks to going passwordless too:

 

  • The Cost of Switching: As with any pivot to a new solution, implementing password alternatives would require investment in new infrastructure, and educating employees on how the new measures work would take time (and perhaps more money too).
  • Accessibility and Privacy Issues: Biometric methods are a common alternative to passwords, but some people might have difficulty using fingerprint scanners or face recognition due to physical disabilities. And since fingerprints and facial scans can’t be updated like passwords, there are specific ethics and privacy concerns about collecting and using them.

 

3 Considerations When Going Passwordless Under PCI DSS v4.0

 

Given the advantages, many organizations are moving forward with going passwordless, but, as they do—and perhaps as you do—consider the following regarding PCI DSS compliance efforts.

1. New-Look Authentication Requirements

PCI DSS v4.0 does now allow organizations to take a passwordless approach for both their Cardholder Data Environment (CDE) and system components, and the good news is that, if you do, you’re no longer obligated to fulfill the following:

  • Requirement 8.3.9: Related to password rotation or dynamic analysis
  • Requirements 8.3.5, 8.3.6, and 8.3.7: Regarding password strength, length, history, and initial passwords

And while this would certainly simplify your access management and remove the risk of forgotten password lockouts, PCI DSS v4.0 does still require authentication of some kind, and to better understand how you can successfully pivot away from passwords under PCI DSS, requirement 8.3.1 provides key insight. It specifies that user access must be authenticated via one of the following factors:

 

  • Something you know (e.g., password or passphrase)
  • Something you have (e.g., token device or smart card)
  • Something you are (e.g., biometric element)

2. Still-in-Effect Multi-Factor Mandates

Such flexibility is nice to have, but then you’ve also got to consider PCI DSS v4.0's requirements 8.4.1, 8.4.2, and 8.4.3, which mandate multi-factor authentication (MFA) to obtain any access to the CDE—“multi-factor,” meaning more than one.

If you opt for a passwordless solution, you’ll obviously eliminate all yours—i.e., an aforementioned "knowledge” authentication factor—which means that to meet the PCI DSS MFA requirements, you must, then, either:

  • Incorporate another knowledge-based element such as challenge and response-based questions to go with either a token or biometrics; or
  • Implement biometrics together with a token (such as a TOTP/digital token), which is more common.
  • Implement a customized control in collaboration with your QSA that could include “multi-step” authentication in place of multi-factor authentication.

Moreover, testing the effectiveness of your new, passwordless MFA setup will be essential—not just because such testing is mandated under requirement 8.5.1, but because it’ll be critical to ensure that your new authentication framework is secure and reliable.

3. The Importance of Anti-Phishing Measures

While moving away from passwords will certainly reduce the risk of successful credential-based attacks like phishing, going passwordless doesn’t mean you can stop worrying about those tactics entirely—anti-phishing controls must still be considered.

That’s because, though removing passwords will reduce the authentication attack surface, personnel are still vulnerable to increasingly sophisticated social engineering. PCI DSS requirement 5.4.1 describes the importance of detecting and protecting against these types of attacks, and it remains relevant even when you’ve implemented a no-password authentication method.

For more details, the US Cybersecurity Infrastructure and Reporting Agency published guidance on implementing Phishing-Resistant MFA in October of 2022 which highlights some of the most common attack vectors and provides recommended implementations, which could also include:

  • Hardware like email filters and monitoring tools that help detect suspicious communications proactively; and
  • Regular training that educates employees on how to identify phishing attacks.

 

Moving Forward with Password Alternatives

 

As credential-based attacks continue to increase, technologies supporting passwordless authentication are becoming increasingly widespread. (Passkeys, in particular, are gaining popularity—especially in enterprise environments where mobile devices are gaining acceptance as primary use devices—with FIDO2 as an emerging standard. For a deeper dive into this type of passwordless authentication, the FIDO2 Alliance is an excellent source.)

And while transitioning to passwordless authentication can help enhance your security and simplify compliance, careful planning will be essential to ensure that any organization under its purview continues to meet all PCI DSS v4.0 requirements.

We’ve provided a few important and specific considerations, but to further simplify your PCI DSS compliance, check out our comprehensive library of content regarding the many complexities of this standard.

About Salvatore Butera

Salvatore Butera is a Senior Associate with Schellman. Prior to joining Schellman in 2022, Salvatore provided consultative services across a variety of industries, including services ranging from on-premises and cloud system architecting, risk assessment, PCI DSS compliance, network security, and other general consulting services. Salvatore holds several industry certifications including CISSP, CISA, QSA, AWS CSA, and CCSK, and as a Senior Associate at Schellman, he focuses primarily on PCI engagements for organizations spanning many different industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.