PCI DSS v4.0 · Requirement 8

PCI DSS 4.0 now wants MFA for all access into the CDE — not just admins. Are your domain logons and jump hosts covered?

The headline change in PCI DSS v4.0 is in Requirement 8: MFA is no longer only for remote and administrative access. Requirement 8.4.2 mandates multi-factor authentication for all access into the cardholder data environment, and 8.5.1 says it must resist replay and can't be bypassed. For most teams the cloud apps were never the problem — it's the Windows jump hosts, the database servers, the AD logons, and the VPNs into the CDE that sit outside the IdP. Authnull enforces a phishing-resistant factor on each, mapped one-to-one to the sub-requirements your QSA will test.

Talk to a compliance engineer

At a glance

FrameworkPCI DSS v4.0

Key controls8.4.2 · 8.4.1 · 8.4.3 · 8.5.1

Applies toAnyone handling cardholder data

TimingIn effect — 31 Mar 2025

You walk away withROC / SAQ-ready access logs

Mapped to specific controls — not a generic MFA checklist.

The line that put you here

“Multi-factor authentication (MFA) is implemented for all access into the CDE.”

— PCI DSS v4.0, Requirement 8.4.2

8.4.2 was a best practice until 31 March 2025; it is now mandatory. If your last assessment only evidenced MFA on remote and admin access, this is the line that turns into a finding.

Requirement mapping

Requirement → Authnull

Control	What it requires	How Authnull covers it	Status
8.4.2	MFA for all access into the cardholder data environment.	MFA on AD logon, Windows / RDP, and Linux SSH for every host inside the CDE — not only at the perimeter.	Covered
8.4.1	MFA for all non-console administrative access to the CDE.	A factor on privileged RDP and SSH sessions and on directory-service admin logon.	Covered
8.4.3	MFA for all remote network access originating from outside the entity.	RADIUS MFA on every VPN and remote-access gateway into the environment.	Covered
8.5.1	MFA systems are not susceptible to replay and can't be bypassed.	Phishing-resistant push and FIDO2 / security-key factors, enforced at the OS and directory layer with no local bypass.	Covered

Why your IdP report isn't enough

The gap is always below the cloud login.

Your IdP already satisfies

E-commerce / SaaS SSO

Web admin consoles via SAML

What it leaves for the audit

AD logon inside the CDE

Jump hosts & RDP

Database & Linux servers

VPN into the CDE

Authnull enforces MFA on every path on the right — at the directory, OS, and RADIUS layer — so the column that fails the audit becomes the column that passes it.

Evidence

What you hand the assessor.

Requirement-mapped report

Coverage broken out by 8.4.1 / 8.4.2 / 8.4.3 / 8.5.1 so your QSA can tie each control to evidence.

Tamper-evident logs

Per-authentication records with user, system, factor and outcome — the trail Requirement 10 expects.

Replay-resistant by default

FIDO2 and push factors meet 8.5.1 without you re-architecting authentication.

Close the 8.4.2 gap before your QSA samples it.

Enforce MFA across every host and path inside the CDE, mapped to the exact sub-requirements. Start free, or review your scope with a compliance engineer.

Talk to a compliance engineer

Other deadlines we cover

All compliance pages

Cyber insurance renewalRemote · Privileged · Directory CMMC 2.0 Level 2IA.L2-3.5.3 · 3.5.4 · AC.L2-3.1.12 HIPAA Security Rule§164.312(d) · 312(a)(2)(i) · 308(a)(4)NIS2 DirectiveArt. 21(2)(j) · 21(2)(d) · Art. 20 SOC 2 Type IICC6.1 · CC6.6 · CC6.7