Can IDaaS Support PCI Section 8 Compliance?

By Katelyn McWilliams Posted September 4, 2018

PCI Section 8 Compliance Requirements

Security is at the forefront of every IT admin’s mind. In addition to the huge ramifications of a breach, many organizations are required to implement security measures in order to achieve security compliance. Much of this centers around securely storing data and authenticating access to user identities. With that in mind, IT admins are often asking the question of whether Identity-as-a-Service, or IDaaS, can support PCI Section 8 compliance. Let’s explore cybersecurity and what achieving PCI Section 8 compliance really means.

What is PCI Section 8?

PCI Data Security Standard regulations

Before we discuss if IDaaS can support PCI Section 8 compliance, we should first understand what PCI DSS is. The Payment Card Industry Data Security Standard (PCI DSS) is a series of regulations that apply to all companies that accept credit card payments. All such data must be stored with a PCI compliant hosting provider or in a PCI compliant manner. The goal of PCI compliance is securing cardholder information, and ultimately, avoiding financial fraud.

The digital age makes all companies that store cardholder information targets for financial fraud, and the PCI SSC Reference Guide reports that more than “510 million records with sensitive information have been breached since January 2005.” The PCI security standards are both technical and operational standards put in place by the PCI Security Standards Council (PCI SSC) to protect personal information and avoid breaches.

While all sections of PCI DSS include sub-requirements, Section 8 states that a unique ID must be assigned to all users with computer access. This ensures that any access or action on critical data are traceable to, performed by, and given access to authorized users. So, can IDaaS really support Section 8 compliance?

Achieving PCI Section 8 Compliance

There are a number of critical authentication and identity security requirements within PCI Section 8. Many of the requirements center on who has access, password complexity management and rotation, multi-factor authentication, and other authentication issues. There are further requirements in PCI Section 10 that revolve around user event logging such as retaining data on who accessed what systems, when, and what they did on them.

So, can IDaaS support PCI section 8 compliance? The short answer is, yes, a modern Identity-as-a-Service platform with the right capabilities to manage user access to the cardholder data environment (CDE) can absolutely support PCI Section 8 compliance. However, the challenge here is that most first-generation IDaaS solutions, which are essentially just web application SSO solutions, won’t fit the bill because PCI Section 8 is largely aimed at controlling access to servers and back-end systems. For most first-generation IDaaS platforms, controlling user access to Windows, Linux, and Mac® systems is outside of their scope. 

PCI Section 8 Compliance requirements

The Next Generation of IDaaS: Directory-as-a-Service®

Is it possible for IDaaS to manage access to systems and servers in addition to web apps and cloud resources? Conventionally, system/server management was the purview of the directory service.

A new generation of IDaaS solutions called Directory-as-a-Service® is solving a number of the requirements for PCI Section 8 from the cloud. Directory-as-a-Service is an OS agnostic, cloud-based directory; it essentially acts as an SSO solution and a core directory service, all in one solution. As a modern approach to directory services, this more robust take on IDaaS can control access to CDEs regardless of location, whether it be on-prem, collocated in private data centers, or in public cloud platforms such as AWS®, GCP, and Azure®.

IT organizations can tightly control which users have access to the CDE, their password requirements, whether SSH keys are enforced, and if MFA is needed to access certain systems. In fact, these requirements can be set via policy and enforced via group settings so that all users that require access to the CDE are tightly managed and controlled. JumpCloud also offers event logging, that allows admins to track whenever a user authenticates to a laptop, desktop, or server.

Testing JumpCloud® for PCI Section 8 and 10 Compliance

If you’re going through a PCI audit and looking for documentation that proves that Directory-as-a-Service can satisfy the PCI Section 8 requirements, then take a look at this third party report. Coalfire, a leading cybersecurity advisor and QSA, has done a rigorous analysis and environmental testing of Directory-as-a-Service to determine its utility in supporting PCI.

Coalfire completed their technical assessment both within the hosted infrastructure as well as within their test lab and have concluded that the JumpCloud® DaaS platform provides coverage for all applicable sections of PCI DSS Section 8 and 10. By using JumpCloud, IT admins are given the authority to create a centralized directory of their users and their unique access to resource. Coalfire also notes that the JumpCloud agent can only be uninstalled by an authorized admin, ensuring access to systems is securely handled through JumpCloud.

Utilizing JumpCloud for PCI DSS Audits

Directory as a Service Security

If you’re ready to utilize JumpCloud to prepare you for a PCI DSS audit, you’re welcome to schedule a demo to see the product in action. If you have any further questions on leveraging our Directory-as-a-Service platform to reach Section 8 compliance, please reference Coalfire’s white paper or reach out to our team, we would be happy to answer any questions you have. When you sign up for an account, your first ten users are free forever.

Katelyn McWilliams

Kate is a Content Writer at JumpCloud. She moved to Boulder, Colorado from Seattle in 2017 with experience in marketing for IT under her belt. When she isn't writing about tech, she enjoys rock climbing and petting every dog in sight.

Recent Posts