How to Enforce FDE to Achieve PCI Compliance

Written by Zach DeMeyer on June 27, 2019

Share This Article

Full disk encryption (FDE) is a critical security measure in today’s modern networks. With data security being more critical than ever, many IT admins are wondering how they can enforce full disk encryption across their fleets of cross-platform systems. Many organizations are also subject to compliance regulations like PCI DSS, which require FDE as a part of their compliance requirements. In this blog post, we’ll discuss how to enforce FDE to achieve PCI compliance across Mac® and Windows® fleets.


What is FDE?

Full disk encryption locks down a computer’s hard drive when said computer is powered off, or at rest. If a computer with FDE enabled is stolen, the only thing the thief will make away with is the hardware; the data on the system will be encrypted and very difficult to acquire.

FDE programs (BitLocker for Windows, FileVault for Mac) utilize a recovery key as a method of authentication. When a user logs into their FDE-protected system, the drive is unlocked using their associated username and password. But, in case a user forgets their password, is locked out, or the hard drive needs to be removed and accessed for any reason, an IT admin uses the recovery key to decrypt the drive. Given the crucial nature of recovery keys, IT admins need to  store them in escrow, that is, securely stored and categorized in relation to the system it belongs to.

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a compliance regulation that was created to ensure that credit card data is kept secure by companies that handle this critical customer financial information. PCI revolves around securing the cardholder data environment, or CDE, which houses all credit card information that passes through a company under compliance. There are 12 main requirements under PCI regulation, but Requirement 3 deals specifically with data encryption. 

Using FDE for PCI

At its core, PCI Requirement 3 calls for installing proper security measures to protect data housed in the CDE. It is arguably one of the most important requirements for PCI altogether. FDE is an ideal way to ensure Requirement 3 compliance. By locking down at rest systems, IT admins can prevent unauthorized access due to a stolen laptop or hard drive. 

In regards to encryption, Requirement 3 also demands that cryptographic keys are securely stored and maintained. Using recovery key escrow, IT admins can ensure that only the right people have access to cryptographic keys, and also monitor when they’re used for access and who uses them.

How to Enforce FDE to Achieve PCI Compliance

When it comes to enforcing FDE across Mac and Windows for PCI compliance, IT admins might find that their options are limited. Many FDE tools on the market are only capable of enforcing either Bitlocker or FileVault—not both. Since many of today’s IT organizations are heterogeneous with regards to system platforms, an FDE solution that can only enforce one or the other simply won’t do and admins would rather not implement multiple solutions to reach the desired end.

Additionally, IT organizations also need their FDE solution to securely store cryptographic recovery keys in escrow. This need limits the list of ideal FDE options even more. At the end of the day, with these requirements there’s an excellent option that provides IT admins with a low overhead FDE experience suited for PCI compliance.

FDE and More from the Cloud

JumpCloud® Directory-as-a-Service® is the world’s first cloud directory service, providing comprehensive identity and access management (IAM) from a single cloud admin portal. Among JumpCloud’s core offerings is cross-platform (Windows, Mac, Linux®) system management. Using JumpCloud Policies, IT admins can enforce FDE at scale across their Windows and Mac system fleets, escrowing individual recovery keys safely within JumpCloud.

JumpCloud can also help IT organizations with PCI compliance beyond Requirement 3. Independent auditing firm, Coalfire Systems, evaluated the JumpCloud product in regards to PCI Requirement 8. You can read their findings in this whitepaper.

Get Started for Free

You can use JumpCloud to achieve PCI compliance using FDE and more absolutely free. Simply sign up for JumpCloud and get started with ten users in the platform, which are included at no cost to you and usable forever. You can also schedule a demo to see the product in action.

Are you curious about JumpCloud and would like to learn more? Send us a note or give us a call. We’d be happy to chat with you.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter