Lets ignore, for now, a risk based answer to the question. Does PCI DSS v3.2 require network device administrators to use multifactor authentication when accessing a router?
Lets presume that network traffic containing the PAN traverses the router.
PCI DSS v3.2 requirement 8.3.1 states:
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
The guidance for 8.3.1 says:
If the CDE is segmented from the rest of the entity’s network, an administrator would need to use multi-factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE.
So is the router a CDE system?
Well presuming that it transmits CHD it does meet the definition of a CDE system.
Definition of CDE from the PCI DSS v3.2 Glossary:
So it appears that YES, PCI DSS v3.2 requires network device administrators to use multifactor authentication when accessing a router.
Question: Does it matter if the network traffic is encrypted?
Lets presume that the router is between a PIN pad device that transmits CHD to a payment processor on the internet. The CHD is encrypted to be “safe” enough to traverse untrusted systems on the internet. Doesn’t this let our internal network components off the hook for the new multi factor authentication requirement? Traditionally, no. Encryption does not get a system off the hook.
But if you are looking to confuse the issue, check out Appendix B Compensating Controls. It contains the following example:
Existing PCI DSS requirements MAY be considered as compensating controls if they are required for another area, but are not required for the item under review. For example, multi-factor authentication is a PCI DSS requirement for remote access. Multi-factor authentication from within the internal network can also be considered as a compensating control for non-console administrative access when transmission of encrypted passwords cannot be supported. Multi-factor authentication may be an acceptable compensating control if: (1) it meets the intent of the original requirement by addressing the risk of intercepting clear-text administrative passwords; and (2) it is set up properly and in a secure environment.
WHAT??? Internal networks don’t require MFA???? Don’t worry, I think we can ignore the above Appendix B Compensating Control example. It has remained unchanged (other than being changed from two factor to multifactor) going back to at least PCI DSS v2 and is presumably now just a bad outdated example once the multifactor authentication requirement kicks in January 2018.
Clear as mud?
Ad below this line: