GRCWatch
Sign inStart free trial

PCI DSS 8.4.2: Multi-Factor Authentication for Non-Console CDE Access

Multi-factor authentication (MFA) is a critical security layer that prevents unauthorized access to your cardholder data environment, even when passwords are compromised. PCI DSS 8.4.2 mandates MFA for all non-console access into the CDE—a foundational control that protects payment card data from credential-based attacks. This guide explains what's required and how to implement it effectively.

What this means

Non-console access refers to remote logins and network-based connections to systems within your cardholder data environment, excluding direct physical console connections. MFA requires users to authenticate using at least two of three factor types: something they know (password), something they have (hardware token, phone), or something they are (biometric). This control eliminates the risk of single-factor password compromise by requiring a second verification step before granting CDE access.

How to comply

  1. 1.Identify all systems and applications within the CDE that allow non-console access (remote desktop, SSH, web applications, APIs).
  2. 2.Select and deploy MFA solutions compatible with your environment (TOTP apps, hardware keys, push notifications, SMS—avoiding SMS where possible).
  3. 3.Configure MFA as mandatory for all user accounts with non-console CDE access, including administrators and service accounts.
  4. 4.Implement conditional MFA policies that trigger for high-risk access patterns (new location, unusual time, failed login attempts).
  5. 5.Document all MFA configurations, supported methods, and enrollment procedures in your security policies.
  6. 6.Test MFA implementation across all CDE access points to ensure no bypass mechanisms exist.
  7. 7.Train all users on MFA enrollment and usage to minimize adoption friction and support tickets.
  8. 8.Monitor and log all MFA events, including successful authentications and failed attempts, for audit trails.

Evidence auditors look for

  • MFA enrollment records showing all CDE users registered for multi-factor authentication
  • System configuration screenshots demonstrating MFA enforcement at login prompts
  • MFA solution logs capturing successful authentications and failed verification attempts
  • Policy documentation defining which CDE systems require MFA and supported authentication methods
  • Access control lists confirming MFA is enabled for remote access protocols (RDP, SSH, VPN)
  • User training records and completion certificates for MFA procedures
  • Third-party MFA provider reports or attestations confirming service delivery and uptime
  • Incident response logs showing detection and blocking of unauthorized access attempts blocked by MFA

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates MFA policy enforcement across your CDE by integrating with your identity providers to track enrollment status, flag non-compliant users, and generate audit-ready reports—eliminating manual tracking and compliance gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 8.1 — Assign Unique User IDsPCI DSS 8.2 — Implement Strong Authentication MethodsPCI DSS 8.3 — Protect Against Unauthorized AccessPCI DSS 8.5 — Restrict Access to Cardholder Data by Business NeedPCI DSS 10.2 — Log All CDE Access