Financial Services

FFIEC Guidance and PCI DSS Regulatory Compliance

The Authentication in an Internet Banking Environment guidance from the Federal Financial Institutions Examination Council (FFIEC) calls for “effective methods to authenticate the identity of customers.” The Guidance also states that:

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

The FFIEC’s Supplement to Authentication in an Internet Banking Environment reinforces the Guidance’s risk management framework and updates the expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment. In particular the Supplement calls for the use of “dual customer authorization through different access devices” and “out-of-band verification for transactions” in a “layered security program,” such as the end-to-end solution that SurePassID provides.

The Payment Card Industry Data Security Standards (PCI DSS) mandate that organizations which “hold, process, or pass cardholder information” must meet a minimum level of security.  Part of this security is protecting remote access logins with strong authentication. Specifically, section 8.3 says that organizations must:

Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

Deploying Two-Factor Authentication (2FA) with SurePassID is the fastest path to compliance with FFIEC guidance and PCI DSS. SurePassID’s one-click installer is compatible with most legacy IT infrastructures and supports VPNs, RADIUS and TACACS.  SurePassID is compatible with almost any authentication method and device, including:

Free:

• Mobile OTP (smart phones, tablets) – installed on user’s device
• Desktop OTP (desktops, laptops) – installed on user’s device

Very Low Cost:

• SMS OTP and IVR – text or call to user’s phone
• PassFaces – installed on user’s device
• Matrix Cards – Challenge-response ISO 7810-compliant printed cards; issued to users

Higher Cost:

• OneCard – World’s first all-in-one converged security credential; issued to users
• OTP Display Cards – ISO 7816-compliant smart cards with display, keypad, and mag stripe; issued to users
• OTP Keyfobs & Mini-Keyfobs - Hardware tokens; issued to users
• Third Party OTP Tokens – OATH-compliant and proprietary RSA tokens; issued to users

 All SurePassID Regulatory Compliance Solutions for Financial Services include: