Staying PCI Compliant with Remote Workers

Written by Zach DeMeyer on April 30, 2020

Share This Article

Although enabling a remote workforce is many IT admins’ top priority today, compliance remains one of the most important hurdles an organization faces. Specifically, with the rise of ecommerce following the phasing out of most brick and mortar retail stores, many organizations need to ensure they’re PCI DSS compliant. Armed with a cloud directory service, staying PCI compliant with remote workers for Sections 7, 8, and 10 is surprisingly straightforward.

What is PCI DSS?

PCI Compliance Logo

The Payment Card Industry Data Security Standard (PCI DSS) requires that any business handling customer payment information, namely credit cards, must do so securely and with customer privacy in mind. A main focal point of the requirement is the cardholder data environment (CDE), the core location where organizations store and/or process payment information. 

IT departments need to ensure that access to CDEs is tightly controlled and monitored in order to prevent breaches and quickly identify the source if one does occur. PCI Sections 7, 8, and 10 specifically call for an organization to demonstrate strong identity and access management (IAM) practices and procedures.

The following are a few examples of IAM policies that IT organizations need in place based on Section 7, 8, and 10 requirements. You can check out the official PCI Quick Reference Guide to see all of the requirements.

Section 7

PCI Section 7 is concerned with how organizations control access to their CDE. Users need to be allowed access based on a least privilege basis: Only those who absolutely need access to customer data are allowed access to it. IT admins need to control how their users access virtually all of their resources, ensuring that only the requisite group of users are able to leverage the CDE.

Section 8

PCI Section 8 focuses specifically on controlling and managing the identities that have access to the CDE. Admins need to be able to disable an account at a moment’s notice, and automatically lock out a user after multiple failed login attempts.

Users need to have complex, unique, and compliant passwords, along with additional authentication factors associated with their identity, including but not limited to:

  • SMS tokens
  • TOTP codes
  • Push-based authentication
  • Hardware keys
  • Biometrics

At least one of these factors must accompany username/password credentials upon entry to the CDE, whether through the user’s system, an application, or over a VPN. End users need to be fully aware and able to authenticate in this multi-factor authentication (MFA) approach, so IT admins need to make sure that not only are their MFA solutions streamlined, but their end users are trained and ready to use them.

Section 10

While Sections 7 and 8 are centered around breach prevention, PCI Section 10 covers an organization’s response to an attempted breach of their CDE, namely monitoring and event logging requirements. Put briefly, IT departments need full audit trails to show as much information about their CDE as possible so they can track down the source of an issue, and prove their ability to do so to an auditor.

A common thread through all three sections is that organizations must not only have these measures in place, but must be able to demonstrate the extent of their procedures through documentation and training of involved parties. Although many organizations achieve PCI compliance while in their controlled office setting, doing so with a fully remote workforce is an entirely different animal.

PCI Troubles with Remote Workers

Although access to a modern CDE is often performed remotely, the IAM processes that allow said access usually occur on-premises via Active Directory® (AD). Now that the world’s organizations are forced to adopt a fully distributed model of operations, IT admins find that remotely managing their on-prem directory service is more difficult.

Neither end user nor admin are connected to the AD domain physically, so they need to both leverage coordinated VPN infrastructure for effective management. In addition, AD and other on-prem IAM tools of its ilk are unable to provide the MFA that PCI Section 8 requires. They also struggle to effectively manage operating systems other than Windows, so organizations need to leverage additional solutions to extend their AD identities in a compliant fashion.

By leveraging a cloud directory service, or Directory-as-a-Service®, IT admins can maintain the level of control needed to stay PCI compliant with a remote workforce.

Staying PCI Compliant Remotely with a Cloud Directory Service

Using JumpCloud® Directory-as-a-Service, IT admins have the ability to establish a domainless approach to IAM. JumpCloud offers group-based device control and access management, no matter the platform, protocol, or provider. 

Admins can leverage Policies across Windows®, Mac®, and Linux® to remotely control system screen lock, full disk encryption, and other key security measures required by PCI DSS regulations. 

JumpCloud’s True Single Sign-On™ enables seamless SAML, LDAP, and RADIUS authentication to the apps, infrastructure, and VPNs that users need to access CDEs, simultaneously allowing admins to control which users have said access, and which don’t.

Directory-as-a-Service provides MFA across Windows, Mac, and Linux, as well as on the User Portal where remote workers can leverage True Single Sign-On to access their requisite resources, and on their VPN connects through RADIUS.

For system data and event logging, organizations can leverage the premium System Insights™ and Directory Insights™ tools to keep tabs on devices and their access to CDE materials. IT admins can also leverage the JumpCloud API to see access events and other data required for an audit.

QSA Whitepaper

Independent auditing firm Coalfire evaluates products in regard to helping organizations achieve compliance standards. In their assessment of the JumpCloud product, Coalfire found that using Directory-as-a-Service provides organizations with most of the requirements of PCI Section 8 and 10. You can read more about their findings here.

Learn More

If your organization is concerned about staying PCI compliant with remote workers, consider overhauling your IAM with Directory-as-a-Service. Check out our Solutions page to see how JumpCloud supports work from home, or try the product out for free to see for yourself.

Continue Learning with our Newsletter