Two-factor authentication helps charity comply with PCI DSS

Two-factor authentication is a must for any company that needs to comply with the Payment Card Industry Data Security Standard. Find out how one company implemented token-based authentication and how it overcame any rollout issues.

As a holder of personal and financial data about its donors, the charity World Vision U.K. needs to be as secure as any other organisation. And because many donors give money via their credit cards, the charity also has to comply with the Payment Card Industry Data Security Standard (PCI DSS).

Milton Keynes-based World Vision has always taken security seriously, but recently realised during an audit that it failed to meet one key aspect of PCI DSS, which requires that remote users accessing a corporate network where credit card details are held must connect using two-factor authentication. This part of the standard is intended to prevent unauthorised users from accessing information using a stolen password.

The rollout was the most complicated bit, because you have to get the physical tokens out to the users. Getting them to register was more complex than the actual  implementation of the product.


Adrian Blair
IT project managerWorld Vision U.K.

Up to late 2009, World Vision's remote users -- who could be travelling around the U.K. or overseas -- used an authentication scheme that relied solely on usernames and passwords.

IT project manager Adrian Blair explained: "We use Citrix Metaframe, with thin-client terminals from Wyse and IGEL in our offices. When remote users dial in they have the same access to all their systems as if they were sitting in the office. We have field workers in Africa, where they have very poor connections, so they may have to go into an Internet café or a hotel to communicate."

It was essential to maintain that level of flexibility for the mobile workers, he said, to enable them to do their jobs just as easily as if they were inside the office. "The credit card details of our sponsors have always been protected by a lot of security, and we control who has access to those details through Citrix. But we still wanted the flexibility so that people could work when they are out of the office. We didn't want them to be limited in what they could do."

So last year, with flexibility in mind, Blair began a project with the charity to select and install a two-factor authentication system to bring World Vision into compliance with PCI DSS.

His first choice supplier was a managed service provider, but during the pilot stage there were signs it was the wrong choice.

"They were not very responsive," Blair said. "And when we carried out financial checks on them, we decided they were not an organisation we'd want to pay upfront for a long–term service. It is not just the technical solution that has to work; a managed service has to be there for the duration. That was a major issue."

He then called in Cambridge-based Signify Ltd, which has been operating a cloud-based authentication service for the last 10 years, and Blair said it has been a vast improvement.

Signify's managed service can handle a range of two-factor authentication methods, including both physical tokens and soft tokens that can be delivered to a mobile phone or laptop.

Blair decided to adopt RSA SecurID tokens that would provide users with one-time passcodes when working remotely. "We looked at tokenless working, but workers don't always have a good signal to get a soft token through their mobile phone or laptop," he said. "We felt it was more secure to give them a physical token, and the cost difference was not that big." The cost per token over three years is around £30.

Having chosen Signify and the SecurID token, he said the system was simple to implement. A short pilot project proved that Signify was prepared to offer plenty of support and that the registration of all 200 users would be quite straightforward.

Blair built a spreadsheet of all 200 users, showing the details of their access privileges and uploaded that to Signify's central system. "It allowed us to set the date for activation, meaning the users would get a welcome message at that date and time. It was extremely easy to do," he said.

The only problem occurred with the actual distribution of the tokens, which happened in December 2009. "The rollout was the most complicated bit, because you have to get the physical tokens out to the users," Blair said. "Getting them to register and to use the tokens correctly was more complex than the actual selection and implementation of the product."

The main problem was the snow that paralyzed the country at that time. Some staff members had left their tokens in the office, and then been unable to travel into work.

"We'd bought them tokens so they could put them on their key rings, but some people just forgot to do it," Blair said. "So when the new security was activated, they were unable to log on from home."

In the end, the organisation decided to keep the gateway open for a short transitional period so users without tokens could still log in with usernames and passwords. But as Blair said, the Web-based service from Signify is extremely easy to use and has required little training for users. Enrolment and registration of users is also easy to manage through a Web portal.

It means that the charity can now tick that final box in its PCI DSS compliance checklist, and ensure that remote users can access critical systems remotely.

But for anyone thinking of going the same route, Blair had a word of warning: "Don't under-estimate the rollout. It is a change for people, and although it is a simple change in theory, it has to be closely managed."

Read more on Regulatory compliance and standard requirements