PCI-DSS
PCI-DSS 8.3: Multi-Factor Authentication Explained
Require MFA for all access into the cardholder data environment and for all remote network access originating from outside the entity's network.
OFFICIAL REFERENCE (PARAPHRASED)
Multi-factor authentication (MFA) is implemented for all access into the cardholder data environment. (PCI DSS v4.0.1 Requirement 8.3.1)
Last reviewed: June 2026. Not legal or audit advice.
WHAT EVIDENCE SATISFIES THIS
- ✓ MFA configuration for CDE access
- ✓ Remote access MFA enforcement
- ✓ MFA exception register with compensating controls
- ✓ Authentication policy referencing PCI MFA requirements
Cross-framework overlap
This control requirement also appears in:
See this control in your personalized checklist
Start free →See your readiness in 5 minutes
Answer a few questions and get a personalized, actionable checklist, free, no card.
Get your free checklist →