Microsoft Entra PCI-DSS Multi-Factor Authentication guidance

Information Supplement: Multi-Factor Authentication v 1.0

Use the following table of authentication methods supported by Microsoft Entra ID to meet requirements in the PCI Security Standards Council Information Supplement, Multi-Factor Authentication v 1.0.

Method	To meet requirements	Protection	MFA element
Passwordless phone sign in with Microsoft Authenticator	Something you have (device with a key), something you know or are (PIN or biometric) In iOS, Authenticator Secure Element (SE) stores the key in Keychain. Apple Platform Security, Keychain data protection In Android, Authenticator uses Trusted Execution Engine (TEE) by storing the key in Keystore. Developers, Android Keystore system When users authenticate using Microsoft Authenticator, Microsoft Entra ID generates a random number the user enters in the app. This action fulfills the out-of-band authentication requirement.	Customers configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies.	Users unlock the key with the gesture, then Microsoft Entra ID validates the authentication method.
Windows Hello for Business Deployment Prerequisite Overview	Something you have (Windows device with a key), and something you know or are (PIN or biometric). Keys are stored with device Trusted Platform Module (TPM). Customers use devices with hardware TPM 2.0 or later to meet the authentication method independence and out-of-band requirements. Certified Authenticator Levels	Configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies.	Users unlock the key with the gesture for Windows device sign in.
Enable passwordless security key sign-in, Enable FIDO2 security key method	Something that you have (FIDO2 security key) and something you know or are (PIN or biometric). Keys are stored with hardware cryptographic features. Customers use FIDO2 keys, at least Authentication Certification Level 2 (L2) to meet the authentication method independence and out-of-band requirement.	Procure hardware with protection against tampering and compromise.	Users unlock the key with the gesture, then Microsoft Entra ID validates the credential.
Overview of Microsoft Entra certificate-based authentication	Something you have (smart card) and something you know (PIN). Physical smart cards or virtual smartcards stored in TPM 2.0 or later, are a Secure Element (SE). This action meets the authentication method independence and out-of-band requirement.	Procure smart cards with protection against tampering and compromise.	Users unlock the certificate private key with the gesture, or PIN, then Microsoft Entra ID validates the credential.

Next steps

PCI-DSS requirements 3, 4, 9, and 12 aren't applicable to Microsoft Entra ID, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: Official PCI Security Standards Council Site.

To configure Microsoft Entra ID to comply with PCI-DSS, see the following articles.

• Microsoft Entra PCI-DSS guidance
• Requirement 1: Install and Maintain Network Security Controls
• Requirement 2: Apply Secure Configurations to All System Components
• Requirement 5: Protect All Systems and Networks from Malicious Software
• Requirement 6: Develop and Maintain Secure Systems and Software
• Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
• Requirement 8: Identify Users and Authenticate Access to System Components
• Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
• Requirement 11: Test Security of Systems and Networks Regularly
• Microsoft Entra PCI-DSS Multi-Factor Authentication guidance (You're here)