Foundation Of PCI Compliance: Identity Management

By Zach DeMeyer Posted October 19, 2018

Foundation of Identity Management written over image of a credit card

These days, ecommerce is quickly becoming the new normal for shopping. With a couple clicks and 16 magic numbers (plus an expiration date and a CVC/CCV code), you can get almost anything you want on the internet. But what happens to your credit card information once your payment goes through? Is it safe from hackers? Well, hopefully the IT organization behind your ecommerce purchases have been focused on the foundation of PCI compliance: identity management.

What is PCI Compliance?

PCI Compliance Logo

The Payment Card Industry Data Security Standard (PCI DSS) is a compliance regulation that covers the storage and management of customer credit card information, specifically the cardholder data environment (CDE). There are 12 sections in the requirement list for PCI DSS compliance, which ultimately boil down to a few fundamental concepts. Reducing even further, at the foundation of those concepts is identity management, or ensuring that the right people have access to CDEs and customer info, and the wrong people don’t.

Of course, controlling access to critical servers, applications, and data makes a great deal of sense, and it isn’t just limited to those organizations that are subject to PCI compliance. Identity management is a core function of practically all of IT. But, for those companies dealing with credit card information and are subject to PCI requirements, there is an added level of scrutiny to ensure that their systems and processes for user management and identity security are rock solid.

The Right Tools for the Job

Red Gear With Wrench

In many cases, PCI compliance comes down to leveraging the right tools (and processes) for the job. When it comes to identity management, no solution is better suited than the identity provider, often called directory services. With a directory, IT admins can regulate the privileges of user identities, and subsequently federate proper access to the proper people. This functionality is especially pertinent regarding processes like on/offboarding, where controlling access to sensitive data is is crucial.

One such directory service that’s gaining traction, especially in the PCI compliance space, is JumpCloud® Directory-as-a-Service®. JumpCloud innovates the concept behind traditional directory services by offering its services from a third party, cloud-based solution. When it comes to identity management, the foundation of PCI compliance, Directory-as-a-Service is more than apt.

JumpCloud Put to the PCI Test

Coalfire PCI DDS Compliance Review Cover

Of course, anyone can just say that their service is an ideal solution, so JumpCloud decided to put our words to the ultimate test. We asked an independent auditor, Coalfire Systems, to put Directory-as-a-Service through the rigors of a real PCI review, specifically focused on PCI Section 8, which is based around strong identity management practices. While testing, Coalfire also examined JumpCloud in regards to PCI Section 10, which covers how CDE data moves through a network and how that movement is monitored.

As the smoke of the review cleared, Coalfire found that, when properly implemented, Directory-as-a-Service’s identity management capabilities are compliant with PCI Section 8 and 10 guidelines. JumpCloud features such as strong endpoint management, security features like multi-factor authentication (MFA), and event logging assist with compliance, putting the lives of IT admins preparing for their PCI audit more at ease. You can read more about Coalfire’s review in their whitepaper.

Identity Management for PCI with JumpCloud

Identity Management as a Service

To learn more about how you can use JumpCloud Directory-as-a-Service to hone in on identity management for the foundations of your PCI compliance, contact us. Our expert team is more than willing to help answer your questions or concerns. Observe JumpCloud’s identity management capabilities in action by scheduling a demo or signing up for the product. Signing up is free and comes with ten free users to get you started.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts