The PCI DSS is a prescriptive compliance regulation for the payment card industry; its purpose being to protect cardholder identity and data. The PCI council is specific with its PCI-DSS compliance regulations, defining 12 overall areas and hundreds of sub-requirements. These areas range from network security, encryption of data, secure coding requirements, and ongoing management. One of the most significant areas in the requirement is Section 8 – the section responsible for identifying and authenticating the appropriate access to cardholder systems.
Section 8 – Identifying Access
While there are numerous sub-requirements in this section, the overarching themes are to identify who has access and ensure that it is unique. Further, access should be secured to ensure that others may not leverage exclusive credentials. In other areas of the PCI DSS there is a requirement that monitoring actions of those that log in to these core confidential systems is necessary. For each of these areas, a Directory-as-a-Service platform can help organizations achieve their compliance requirements.
Access Control Center – Directory-as-a-Service
Key areas of Section 8 requirements that can be supported by Directory-as-a-Service are as follows:
- Determine who should have what access – once access has been established, the next step is determining the appropriate level. For example, general users should not have access to the cardholder data environment. Specific admins that do have access to cardholder data should do so on a minimum access-needed basis.
- Control user management – the ability to create, modify, and terminate users on systems is critical to ensuring compliance with Section 8. Any users that no longer have access privileges need to be immediately revoked from all critical systems.
- Strong authentication methods – the PCI DSS statute has very specific requirements on password complexity, password rotation, password reuse, and multi-factor authentication. These requirements are focused on ensuring that only the people that have been granted access are the ones that do.
- No shared access – a critical requirement is that there be no shared credentials. This enables better auditing to determine if there was an issue at the source. This is especially critical for database access, and that programmatic methods are well-documented.
The PCI DSS is a major compliance initiative for any organization, and because of it there are a number of issues that IT organizations need to solve. The support of processes and technology solutions is key, and Directory-as-a-Service solutions can be very helpful with one of the more pressing security issues – authentication and access to data.