Edit

Share via


Microsoft Entra PCI-DSS Multi-Factor Authentication guidance

Information Supplement: Multi-Factor Authentication v 1.0

Use the following table of authentication methods supported by Microsoft Entra ID to meet requirements in the PCI Security Standards Council Information Supplement, Multi-Factor Authentication v 1.0.

Method To meet requirements Protection MFA element
Passwordless phone sign in with Microsoft Authenticator Something you have (device with a key), something you know or are (PIN or biometric)
In iOS, Authenticator Secure Element (SE) stores the key in Keychain. Apple Platform Security, Keychain data protection
In Android, Authenticator uses Trusted Execution Engine (TEE) by storing the key in Keystore. Developers, Android Keystore system
When users authenticate using Microsoft Authenticator, Microsoft Entra ID generates a random number the user enters in the app. This action fulfills the out-of-band authentication requirement.
Customers configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies. Users unlock the key with the gesture, then Microsoft Entra ID validates the authentication method.
Windows Hello for Business Deployment Prerequisite Overview Something you have (Windows device with a key), and something you know or are (PIN or biometric).
Keys are stored with device Trusted Platform Module (TPM). Customers use devices with hardware TPM 2.0 or later to meet the authentication method independence and out-of-band requirements.
Certified Authenticator Levels
Configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies. Users unlock the key with the gesture for Windows device sign in.
Enable passwordless security key sign-in, Enable FIDO2 security key method Something that you have (FIDO2 security key) and something you know or are (PIN or biometric).
Keys are stored with hardware cryptographic features. Customers use FIDO2 keys, at least Authentication Certification Level 2 (L2) to meet the authentication method independence and out-of-band requirement.
Procure hardware with protection against tampering and compromise. Users unlock the key with the gesture, then Microsoft Entra ID validates the credential.
Overview of Microsoft Entra certificate-based authentication Something you have (smart card) and something you know (PIN).
Physical smart cards or virtual smartcards stored in TPM 2.0 or later, are a Secure Element (SE). This action meets the authentication method independence and out-of-band requirement.
Procure smart cards with protection against tampering and compromise. Users unlock the certificate private key with the gesture, or PIN, then Microsoft Entra ID validates the credential.

Next steps

PCI-DSS requirements 3, 4, 9, and 12 aren't applicable to Microsoft Entra ID, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: Official PCI Security Standards Council Site.

To configure Microsoft Entra ID to comply with PCI-DSS, see the following articles.