MFA for all administrative access
Description
Multi-factor authentication is required for all non-console administrative access into the CDE.
⚠️ Risk Impact
Without MFA, compromised admin passwords grant direct access to payment systems.
🔧 Remediation
Enable MFA for all admin users. EchelonGraph detects IAM users without MFA.
💀 Real-World Attack Scenario
A PCI QSA discovered that database administrators accessed the CDE database directly using password-only authentication over a VPN. An attacker who obtained the DBA's credentials through a keylogger on the admin's home computer accessed the CDE database containing 5M cardholder records.
💰 Cost of Non-Compliance
PCI DSS 4.0 Req 8.3.1 is a mandatory control — no compensating controls accepted. Non-compliance results in immediate qualified opinion and potential loss of payment processing privileges.
📋 Audit Questions
- 1.Is MFA enforced for ALL administrative access to CDE systems?
- 2.What MFA methods are used?
- 3.Does MFA cover VPN, SSH, RDP, and database admin access?
- 4.How is MFA bypass prevented?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔MFA for initial VPN but not for CDE system access behind the VPN
- ⛔Exception for 'console access' being interpreted too broadly
- ⛔MFA fatigue attacks bypassing push-notification-based MFA
📈 Business Value
CDE admin MFA is a mandatory PCI DSS requirement with no exceptions. It prevents the most impactful payment system attacks — admin credential compromise leading to mass cardholder data theft.
⏱️ Effort Estimate
4-8 hours to deploy MFA across all CDE admin access points
EchelonGraph detects admin users without MFA across all cloud accounts
🔗 Cross-Framework References
Automate PCI DSS 8.3.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →