PCI DSS 8.4.3: Require MFA for Remote Network Access
Remote access is a critical security vulnerability if not properly protected. PCI DSS 8.4.3 mandates that all users accessing your network from outside your organization must use multi-factor authentication (MFA). This control prevents unauthorized access even if credentials are compromised.
What this means
Multi-factor authentication (MFA) adds a second verification layer beyond passwords for anyone connecting to your network remotely. This means employees, contractors, and administrators must verify their identity through at least two independent methods—such as a password plus a time-based code, biometric scan, or hardware token—before gaining access. The requirement applies to all remote connections, including VPNs, remote desktop access, and cloud applications. This significantly reduces the risk of account takeover and unauthorized data access.
How to comply
- 1.Inventory all remote access points including VPNs, RDP sessions, and remote management tools
- 2.Select an MFA solution compatible with your infrastructure (TOTP, hardware tokens, push notifications, or biometric methods)
- 3.Deploy MFA enforcement at the authentication layer before network access is granted
- 4.Configure MFA to apply to all remote users regardless of role or access level
- 5.Test MFA implementation with a pilot group before full rollout
- 6.Document MFA requirements in your remote access policy
- 7.Establish procedures for users to register and manage their MFA devices
- 8.Monitor MFA logs to track authentication attempts and detect anomalies
- 9.Maintain audit records showing MFA is active for all remote sessions
Evidence auditors look for
- VPN gateway configuration showing MFA requirement enabled
- Active Directory or identity provider settings with MFA policies enforced
- Screenshots of MFA enrollment and verification prompts
- System logs showing successful MFA authentication for remote sessions
- Remote access policy document referencing MFA requirements
- Hardware token inventory or authenticator app registration records
- Audit reports listing all users with active MFA credentials
- Incident response logs showing MFA prevented unauthorized access attempts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates MFA compliance verification by continuously monitoring your authentication systems, generating audit-ready evidence logs, and tracking MFA enrollment status across all remote users—eliminating manual documentation work for 8.4.3 assessment.
See how GRCWatch handles this control automatically
Start free trial