Enabling strict PCI compliance mode

IBM® MFA supports the Payment Card Industry Data Security Standard (PCI DSS) standard through the Enable Strict PCI Compliance Mode setting. It is recommended that you do not enable this setting unless you are fully aware of the ramifications.

About this task

Start of changeThe following actions are taken for when you enable Strict PCI Compliance Mode:
  • All messages that indicate success or failure are modified to be generic.
  • Messages that request more information when authentication succeeds are displayed. For example, if the authentication succeeds but the password has expired, the password expiration message is displayed.
  • Unexpected conditions, server failures, and abends return COULD_NOT_EVALUATE. Messages associated with the error are ignored and are not returned.
End of change
The following actions are taken for IBM MFA Out-of-Band authentication when you enable Strict PCI Compliance Mode:
  • The web page prompts for all factors before validating the user's response and returning a status. If there is a failure, the user does not know which factor failed.
  • Messages returned to the user for an authentication request are suppressed. The user does not know which factor caused the authentication to fail. However, need more information messages generated after a successful authentication are displayed.
  • A cache token credential is always returned, even if the authentication request failed. The user cannot determine which part of the authentication failed.