Datawiza
Back to blog
November 12, 2025BlogIndustry

PCI DSS v4.0 and MFA: What You Need to Know (and How to Comply Without Rewriting Your Apps)

Work Safety and Compliance Concept. Businessman holding magnifying glass with icons work safety, compliance, risk management, and operational efficiency, emphasizing importance of safety standards.

The New PCI DSS v4.0 Era

The Payment Card Industry Data Security Standard (PCI DSS v4.0) modernizes how organizations protect cardholder data. Released by the PCI Security Standards Council on March 31, 2022, the update reflects today’s realities: remote work, web portals, APIs, and cloud-based payment systems.

One of the most important changes: Multi-Factor Authentication (MFA) for all access into the Cardholder Data Environment (CDE).

Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.

PCI Security Standards Council

March 2022

What PCI DSS v4.0 Says About MFA

In PCI DSS v3.2.1, MFA was only required for administrators and remote access. With v4.0, Requirement 8 now expands MFA to all access into the CDE — including internal and local access. This closes a long-standing gap that attackers exploited through lateral movement and credential stuffing.

What Counts as MFA?

Multi-Factor Authentication verifies a user’s identity using two or more independent factors:

  • Something you know — password or PIN
  • Something you have — authenticator app, hardware key, or email OTP
  • Something you are — biometric verification

Phishing-resistant factors such as FIDO2/WebAuthn are recommended wherever possible.

Where to Enforce MFA Under PCI DSS v4.0

Access TypeRequirement
Administrative access (root, DBAs, sysadmins)✅ Required
Remote access (VPN, RDP, SSH)✅ Required
Internal access to CDE systems✅ Required
Customer web portals displaying stored card data⚠️ Strongly recommended
Tokenized or anonymized systems (out of CDE scope)Optional (document out of scope)

If your web portal displays or retrieves cardholder data, MFA is required for internal access and strongly recommended for customers. It helps demonstrate strong authentication and reduces account-takeover risk.

The Real Challenge: Adding MFA to Legacy and Custom Apps

Many payment or customer portals were built long before modern identity platforms like Okta, Microsoft Entra ID, or Ping Identity. Rewriting login flows or session logic is costly and risky — but PCI DSS v4.0 doesn’t give you that luxury.

That’s where Datawiza makes compliance simple.

How Datawiza Helps You Meet PCI DSS MFA Requirements

datawiza no-code mfa nydfs compliance
datawiza no-code mfa nydfs compliance

Datawiza is a no-code access proxy that adds MFA, SSO, and granular access control to any application — modern or legacy — without code changes.

  • No code changes: Add MFA in front of apps instantly.
  • Any environment: Works on-prem, in the cloud, or hybrid.
  • Any IdP: Integrates with Okta, Microsoft Entra ID, Ping, Duo, or Datawiza-hosted MFA.
  • Auditable logs: Every login and MFA event is recorded for QSA and PCI audit evidence.
  • Compliant architecture: Aligns with PCI DSS v4.0 Requirement 8 and supports least-privilege access.

Whether you’re protecting an internal admin console or a customer payment portal, Datawiza enforces MFA — fast, secure, and compliant.

Why MFA Matters Beyond Compliance

PCI DSS v4.0 isn’t just about passing an audit — it’s about protecting your customers and your reputation. According to Microsoft Security, MFA stops over 99 % of credential-based attacks. Enforcing MFA everywhere strengthens digital trust and dramatically reduces fraud.

Key Takeaways

  • PCI DSS v4.0 expands MFA to all access into the Cardholder Data Environment.
  • MFA = two or more factors: password + device, token, or biometric.
  • Web portals showing card data are in scope for MFA.
  • Datawiza enables MFA for any app — no code, no downtime, no compliance headaches.

Start Enforcing MFA Everywhere — Fast

Add MFA to your PCI-scoped applications in minutes with Datawiza Access Proxy. No code. No rebuilds. Full compliance.

👉 Request a Demo 👉 Learn about Datawiza Access Proxy to Enable MFA without Code Changes

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza