Narendra Sahoo is a director of VISTA InfoSec.
The Payment Card Industry Data Security Standard also commonly referred to as PCI DSS is a payment security standard that outlines requirements to protect cardholder data. The standard mandates the need for organizations to protect the cardholder data environment by taking necessary security measures to secure card data. One way to achieve this is by implementing strong Administrative Access controls to the Cardholder Data Environment and ensuring the access is well controlled, secured, and regularly monitored. This provides greater visibility around the user access to the Cardholder Data Environment.
In fact, the PCI DSS 4.0 Version also comprises revisions to the authentication requirements with the need to implement stronger access controls and regular monitoring and reviewing of Access Privileges. Identity and Access Management (IAM) and Privileged Access Management (PAM) play a crucial role in safeguarding cardholder data, and the new version of the standard recognizes its significance. The requirement reflects the latest industry best practices for ensuring strong measures for securing card data. Covering more on this, we have shared how IAM and PAM can play an important role in securing card data and meeting the PCI DSS requirements.
How does PAM and IAM address the PCI DSS Requirement 4.0?
The payment industry has gradually moved to the cloud and so the need to focus on strong access controls and authentication standards is the need of the hour. Recognizing these needs, the PCI Council in its latest version of PCI DSS 4.0 has placed great emphasis on Identity, Access Management, and Authentication. On that note let us see how IAM and PAM facilitate PCI DSS Requirements
- Requirement 1: Install and Maintain Network Security Controls
PCI DSS 4.0 requirement requires organizations to install and maintain network security controls by installing firewalls antivirus and security software. Further, implementing security and access controls such as IAM and PAM shall also help meet the requirement of maintaining and restricting access to the network to and from the cardholder data environment (Requirement 1.1.3). Implementing IAM and PAM ensures only authorized access to the environment, thereby preventing any scope of unauthorized access to the network and CDE.
- Requirement 2: Apply Secure Configurations to All Systems-
When it comes to implementing measures for secure configurations to all systems, adopting Privileged Access Management (PAM) solution is one way of addressing the security issues and concerns. The PAM solution includes the implementation of security parameters that requires the change of default passwords as a part of the security process. It requires implementing password management controls that shall comprise rules for creating strong passwords, the mandate for changing default passwords, and forced rotation of passwords and keys. This is a crucial security implementation for securing and preventing unauthorized access to systems and data.
Requirement 3: Protect Stored Account Data
PCI DSS requires implementing effective methods for protecting stored data. It requires the organization to apply access controls according to their defined roles. This is one way to limit access to viewing full PAN to only those individuals with a defined business need. While Masking is the way organizations will ensure the PAN data is protected. But even with the Privilege Access Management (PAM) solution in place, it will address the issue of ensuring that access to the sensitive PAN data isn’t in the hands of an unauthorized person.
- Requirement7: Restrict Access to System Components and Cardholder Data by Business Need to Know.
Organizations are expected to implement strong access controls on systems, components, and networks for maximum security of data. So, implementing PAM will ensure that the cardholder data is only accessible to users with the appropriate privileges. This way, having in place a strong PAM solution will not just ensure meeting the PCI DSS 4.0 requirements, but it will also make sure that only authorized users are granted appropriate privileges and that the access granted is only based on work requirements and their access attempt meets defined rules.
- Requirement 8: Identify Users and Authenticate Access to System Components
Organizations are expected to have in place appropriate mechanisms to identify users and authenticate access to only privileged users. These two fundamental principles of PCI DSS requirement of identifying and authenticating users for access can be achieved through the IAM solution. The IAM solution comprises the implementation of security measures such as Multi-factor Authentication (MFA) to secure access to CDE and authorize only verified users’ access to the system and data. This further prevents unauthorized access, misuse of data, data alteration, and deletion of data. Finally, implementing PAM and IAM solutions helps manage access controls and access keys to systems and networks.
- Requirement 9: Restrict Physical Access to Cardholder Data
PCI DSS Requirement requires organizations to implement measures to restrict physical access to cardholder data. PAM and IAM solutions manage and monitor access controls. They help restrict physical access to cardholder data-based roles, responsibilities, performing activities, authorization, and authentication of privilege access granted to individuals. With such secure implementation system components and card data in the CDE cannot be physically accessed unless authorized.
- Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
PAM and IAM solutions in general have an exceptional feature of not just restricting access to critical systems, networks, and data but also track monitor and recording all access logs and user activities around the systems and data. This way PAM and IAM solutions help meet the PCI DSS requirement of maintaining logs and monitoring access to cardholder data. They also have the capability of automatically terminating sessions that have either expired or attempts have been made for unauthorized access or misuse of privileged access.
- Requirement 11: Test Security of Systems and Networks Regularly
The primary objective of this requirement is to test and verify all wireless access points including identifying vulnerabilities and the scope of any unauthorized access points that can impact the security of systems and data. So, there must be measures in place that secures remote access to systems, network, and data. With PAM and IAM solutions in place, it can manage and control privileged access by users, based on defined roles, and work requirement while ensuring the implementation meets the PCI DSS security requirements. Further, such access management also facilitates tracking and monitoring of user access even from the remote locations (or IP addresses)
PCI DSS covers a wide range of payment card security requirements and measures for implementation. So, while the PCI Council has in its latest updates made the standard more flexible in terms of approach to meet the requirement, PAM and IAM solutions can be seen as an effective solutions to address most of the security issues. Such solutions go a long way in meeting the security requirements of PCI DSS. It further aids the organization in their compliance journey and also in their cyber security initiatives. The solution also facilitates better protection of sensitive payment cardholder data.