866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Modernizing PCI DSS Authentication Using Phishing-Resistant Methods Blog Feature
Jesse Eldell

By: Jesse Eldell

Print/Save as PDF

Modernizing PCI DSS Authentication Using Phishing-Resistant Methods

Payment Card Assessments | PCI DSS

Published: Jun 12, 2025

Imagine your computer account is like your house in that you need specific keys to get inside where all your valuables are kept. For years, people relied on simple door locks only requiring one key - like a password, as their main form of security. But clever thieves, known as "phishers," have become really skilled at tricking people into handing over copies of their keys (stealing passwords, codes, and authentication tokens). This growing threat has prompted the need for newer and stronger methods of authentication in payment security, such as phishing-resistant authentication. 

In this article, we’ll describe how cyber criminals now attack traditional payment security measures and introduce phishing-resistant authentication technologies and how they are transforming PCI DSS compliance. We’ll also detail the specific PCI DSS multi-factor authentication requirements and explain the new passkey exception for PCI DSS 8.4.2; this way, you can proceed into the future of payment authentication with confidence and choose the right phishing-resistant option for your organization. 

Understanding Your Authentication Options 

Traditional Multi-Factor Authentication (MFA) is like having multiple locks to get into your home. You might need a physical house key (something you have), plus a PIN code (something you know), and maybe even your fingerprint (something you are). This makes it much harder for intruders to break in because they would need access to all three of these layers. 

However, cyber criminals have evolved. Instead of just picking your locks, they started building fake houses that looked exactly like yours, and when you unknowingly tried to unlock their fake door using your real keys, they'd steal copies of everything. This tactic is called phishing - like fishing, but instead of catching fish, they catch the keys to your secrets. 

Phishing-resistant authentication works differently than traditional security methods. Think of it like having a smart key that only works at your real bank. Even when criminals spoof your bank’s website, your smart key will refuse to work there. It's as if the key and your real bank have a secret handshake that fake websites can't copy. This secret handshake is so complex and unique that if criminals steal your password, they still can't get into your account without your smart key actually agreeing to work with the real website.      

How Cyber Criminals Attack Traditional Authentication 

Cyber criminals have developed sophisticated methods to bypass traditional MFA systems in the following ways: 

  • Phishing Attacks: Criminals create fake (also known as spoofed) websites that look identical to legitimate login pages. When users enter their credentials and MFA codes, attackers capture everything in real-time and immediately use them to access the real system. 
  • Push Bombing (Push Fatigue): Attackers flood users with authentication requests until they accidentally or frustratedly approve one, granting unauthorized access. 
  • SIM Swap Attacks: Criminals convince cellular carriers to transfer a victim's phone number to an attacker-controlled device, allowing them to receive SMS-based authentication codes via text message. 
  • Signaling System 7 (SS7) Protocol Exploitation: Advanced attackers exploit vulnerabilities in telecommunications infrastructure to intercept SMS messages and voice calls containing authentication codes. 

These attacks have proven successful against traditional MFA methods including SMS codes, email-based one-time passwords, time-based authenticator app codes, and basic push notifications, signaling the need for more advanced phishing-resistant authentication technologies. 

Understanding Phishing-Resistant Authentication Technologies 

Phishing-resistant authentication methods use cryptographic protocols that bind the authentication process directly to the specific service being accessed. This creates an unbreakable link between the user's authenticator and the legitimate service which cannot be replicated by fraudulent websites. Many phishing-resistant authentication methods also incorporate proximity-based requirements, adding an additional layer of protection.  

For example, hardware security keys often require physical proximity to the device through a USB connection or Bluetooth pairing. This proximity requirement means that even if an attacker successfully tricks a user into visiting a fraudulent website, the attacker cannot complete the authentication process without physical access to both the user's device and their security key. This proximity-based approach makes remote attacks significantly more difficult, as cybercriminals would need to be physically present to exploit the authentication system. 

Fast IDentity Online 2 (FIDO2) and Web Authentication (WebAuthn) represent the most widely available phishing-resistant authentication standards, leveraging public key cryptography where each online service receives a unique cryptographic key pair. The private key remains securely stored on the user's authenticating device—whether a smartphone, laptop, tablet, or dedicated security key—within tamper-resistant hardware like Trusted Platform Modules (TPM) or Secure Enclaves, while the corresponding public key is shared with the service. 

FIDO2 works in two phases: enrollment (creating and registering keys) and authentication (proving your identity with cryptographic signatures). FIDO2 authenticators come in two forms: platform authenticators built into devices using biometrics or PINs, and roaming authenticators like external security keys that work across multiple devices. Public key infrastructure-based authentication using digital certificates, such as government Personal Identity Verification (PIV) cards, provides another phishing-resistant option. Both methods use cryptographic binding that prevents authenticators from working on fraudulent websites, even if they perfectly mimic legitimate sites. 

Important Note: While phishing-resistant authentication provides superior protection against credential-based attacks, organizations should implement additional security controls for other threats like push bombing, SS7 exploitation, or SIM swap attacks, especially when pursuing PCI DSS compliance. 

PCI DSS Requirements: A Multi-Layered Approach to Authentication 

The Payment Card Industry Data Security Standard (PCI DSS) establishes specific multi-factor authentication requirements across different access scenarios: 

  • Requirement 8.4.1 mandates MFA for all non-console access into the cardholder data environment (CDE) for personnel with administrative access, recognizing that administrative accounts represent the highest-value targets for cybercriminals.   
  • Requirement 8.4.2 requires MFA for all non-console access into the CDE, regardless of user privilege level. Importantly, this requirement includes a critical applicability note: This requirement for MFA does not apply for user accounts that are authenticated solely with phishing-resistant authentication factors.   
  • Requirement 8.4.3 extends MFA requirements to all remote access originating from outside the entity's network that could access or impact the CDE. 

These requirements apply to all types of system components, including cloud services, hosted systems, on-premises applications, network security devices, workstations, servers, and endpoints. 

The Revolutionary Passkeys Exception for PCI DSS 8.4.2 

Recent updates to PCI DSS guidance (FAQ 1595) have introduced a groundbreaking exception: Passkeys synced across devices, when implemented according to FIDO2 requirements, are considered phishing-resistant authentication and may be used as a single authentication factor in place of MFA to meet PCI DSS Requirement 8.4.2. 

This passkey exception represents a fundamental shift in security thinking because it acknowledges that properly implemented phishing-resistant authentication methods provide security equivalent to or superior to traditional multi-factor authentication. The cryptographic binding and domain verification inherent in FIDO2 protocols create security properties more robust than those found in traditional MFA factors, which can be phished, intercepted, or replayed. 

However, this exception is carefully limited to Requirement 8.4.2. For Requirements 8.4.1 (administrative access) and 8.4.3 (remote access), phishing-resistant authentication alone is not acceptable and must be combined with an additional authentication factor, such as a password, PIN, or biometrics. 

Implementation Strategy and Compliance Documentation 

Organizations have several phishing-resistant authentication options, each with distinct advantages: 

  • PIV Card Implementation: PIV cards remain the gold standard for federal environments, providing strong cryptographic authentication through embedded digital certificates. While highly secure, PIV cards require physical card readers and are primarily designed for government use. 
  • FIDO2 Security Keys (Roaming Authenticators): Hardware security keys like YubiKey 5 Series and RSA DS-100 offer cross-platform compatibility and can be used across multiple devices and operating systems. These work well for users in mixed operating system environments. 
  • Platform Authenticators: Built-in biometric authentication leverages device security hardware including fingerprint readers and facial recognition. Solutions like Windows Hello and Apple FaceID provide seamless user experience and cost-effective deployment using existing device capabilities. 
  • Synced Passkeys: The newest approach allows users to authenticate across devices using cloud-synchronized FIDO2 credentials. These provide an excellent user experience by eliminating physical security keys while maintaining FIDO2 security properties. 
  • Enterprise Password-less Platforms: Many identity providers offer comprehensive password-less solutions that can implement phishing-resistant authentication across entire organizations. Options include Okta FastPass, Microsoft Entra ID (formerly Azure AD), and other enterprise identity platforms. These solutions often combine multiple phishing-resistant technologies and can integrate seamlessly with existing enterprise infrastructure, providing centralized management and policy enforcement while supporting various authentication methods including FIDO2, biometrics, and device-based authentication. 
  • Hybrid Implementation Strategy: Most successful deployments combine multiple phishing-resistant options - PIV cards for highest-security environments, platform authenticators for cost-effective broad deployment, security keys for cross-platform scenarios, and synced passkeys for user convenience - ensuring users always have multiple phishing-resistant options available and eliminating reliance on vulnerable fallback authentication methods. 

The Future of Payment Security Authentication in PCI DSS 

The recognition of phishing-resistant authentication in PCI DSS represents a significant evolution in payment security standards, moving the industry toward authentication methods which can withstand sophisticated cyber-attacks while providing enhanced user experiences. As threats continue to evolve and traditional MFA proves increasingly vulnerable to determined attackers, phishing-resistant technologies like FIDO2 passkeys are becoming the standard rather than the exception, reflecting a broader industry understanding that security must evolve beyond simply adding more authentication factors to implementing fundamentally more secure authentication architectures.  

Organizations who proactively adopt phishing-resistant authentication methods will not only achieve compliance with current PCI DSS requirements but will also be better positioned for future security challenges, as the cryptographic binding and domain verification inherent in these technologies provide superior protection against attack methods while supporting long-term compliance and risk management strategies with reduced friction and improved adoption rates.  

If your organization is ready to pursue PCI DSS Compliance, or you have further questions about any of the authentication methods or requirements, Schellman can help. Contact us today and we’ll get back to you shortly. In the meantime, discover additional PCI DSS insights in these helpful resources:  

About Jesse Eldell

Jesse Eldell is a Senior Associate with Schellman. Prior to joining the firm in 2023, Jesse worked as a Security Assessor providing consultative services across many different organization types, ranging from PCI-DSS compliance services, SOC attestation services, and IT service management. As a Senior Associate with Schellman, Jesse focuses primarily on PCI engagements for organizations spanning many different industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.