Page 26 - GS220501
P. 26
CoverStory
Sutcliffe additionally noted PCI DSS v3.2.1's specified Multi-device FIDO credentials would allow users to use
guidelines remain in place for organizations that require one phishing-resistant authentication credential across a
them. "In essence, the council provides flexibility to range of personal devices, such as phones, laptops, tablets
mature organizations that can perform a thorough risk and other connected platforms.
analysis of their environment to meet security objectives
whilst also supporting the organization that prefers clear "Asking users to re-enroll each new device is an impediment
guidelines," she said. to deployment and usability," Shikiar said. "We want
to give relying parties the option of making a private
Sutcliffe described PCI DSS v3.2.1 as a mature, robust key immediately available to users with a password-
security standard that protects transitioning companies. manager-like experience. Instead of automatically issuing
A two-year window for migrating to the new standard, a password, your password manager would issue a FIDO
beginning in March 2022 and ending in March 2024, can key. With this key, you could walk up to any new device
be used to update infrastructure while phasing in PCI DSS and be recognized immediately, in a more secure way
v4.0, she stated. than passwords."
"Because of these structural changes, we wanted to give Passwordless journey
organizations enough time to thoroughly familiarize "If you look at why passwords are so successful, even push
themselves with the changes, not just the new requirements notifications, one-time passwords, it's because they're
but all the other changes in the standard as well," Sutcliffe ubiquitous," Shikiar said. "Anyone can enter a password.
said. "This gives them extra time to update their processes, It's not the best or easiest thing to do effectively, but
technologies and methods to meet security objectives." anyone can do it. We need something equally ubiquitous
Additional information about PCI DSS is available at to replace passwords, and we've made great progress with
the PCI Security Standards document library: www. FIDO security built into every device."
pcisecuritystandards.org/document_library.
FIDO v2.0 On a recent family vacation, Shikiar found it necessary
to create a username and password with each hotel and
Andrew Shikiar is executive director and chief marketing restaurant reservation on sites, he noted, that weren't even
officer at the FIDO Alliance, a global standards association secure or high value. "Imagine a scenario where I could
focused on strengthening and simplifying authentication rely on a platform to log me into these things," he said.
by using open, scalable, interoperable methodologies "Enabling this vision will start to minimize reliance on
that reduce reliance on passwords. Reflecting on FIDO's passwords for the user, and even more importantly, for the
journey, which began in 2012, Shikiar said FIDO's U.S. and service provider."
international working groups collaborate on actionable
approaches to implementation and improving the user For additional information on recent FIDO Alliance
experience. updates and use cases, visit https://media.fidoalliance.org/
wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-
"In the 10th year since our public launch, we remain laser Range-of-Use-Cases.pdf.
focused on our initial vision of creating open standards for
simpler, stronger user authentication based on asymmetric nexo Implementation Specification v4.0
public key cryptography," Shikiar said. "We're replacing nexo is a global association dedicated to advancing
knowledge-based authentication, such as passwords, with payments interoperability by removing barriers to global
possession-based authentication, such as a security key or acceptance. Headquartered in Brussels, the organization
connected device." works across the payments ecosystem with acceptors,
processors, payment schemes, solution providers and
FIDO is privacy preserving, user-friendly, possession- vendors. The association recently enhanced its nexo
based authentication, and recent conversations have Implementation Specification (NIS) v4.0, a set of tools and
centered on usability, Shikiar stated, adding that this shows guidelines designed to expedite development, integrations
the market is maturing, and the standard is moving from and deployment.
whiteboard discussions to real-world use cases. He then
highlighted proposed changes to FIDO's specifications. Jacques Soussana, secretary-general at nexo, said that
Device security, roaming credential interoperability is crucial for POS terminals. "Each card
scheme usually requires its own software and hardware
Shikiar noted that MFA is widely used to step up security, component, known as a kernel, within the payment
but fraudsters can intercept one-time passwords (OTPs) terminal to support a successful transaction," he said in
and redirect unwitting end-users to phishing sites. a statement. "For terminal manufacturers, merchants and
Proposed updates to FIDO ecommerce WebAuthn specs banks, if you want to accept and support several payment
recommend Bluetooth communications as a way to block cards, this can quickly become complex and expensive,
phishing attempts during authentication. This update sometimes requiring multiple point of sale terminals at
would facilitate stronger security without requiring users the checkout."
to carry specialized hardware security keys, Shikiar stated.
26
