The Payment Card Industry Data Security Standard (PCI DSS) was created to strengthen controls on cardholder data in order to reduce credit card fraud. PCI DSS provides an additional layer of protection for card issuers by requiring merchants to comply with minimal security levels when storing, processing, and transmitting cardholder data. The card brands and banks, which can impose stiff fines, penalties, and public disclosure, enforce the PCI standard\u2014including the possibility of suspending payment card processing privileges.\nAny business that accepts payment cards or processes card data must validate their PCI compliance with a yearly assessment. Rather than conducting a behemoth risk assessment annually, merchants should continuously check their compliance processes throughout the year\u2014in other words, assess compliance as an ongoing element of business operations instead of as an annual event.\nProactively and automatically managing administrative privileges over credit card information is a critical step in addressing ongoing PCI DSS compliance challenges. This can be done efficiently by implementing a privileged identity management platform.\nThe role of privileged identity management \nSimply put, the traditional approach of developing and enforcing user activity security policies tied to server operating systems and administrative domains is insufficient for securing payment information in today\u2019s heterogeneous infrastructure. The modern enterprise is typically a diverse blend of on-premises and cloud infrastructure, often including Infrastructure-as-a-Service (IaaS) environments.\nThis new infrastructure creates a greater attack surface, in turn increasing the risk of stolen credit card data. IT must adopt a new approach to privileged identity management\u2014one that aligns with the realities of hybrid computing in the modern enterprise.\nPrivileged identity management solutions help organizations more strictly control access to PCI information by tracking privileged user access to PCI data. IT can audit all privileged sessions, and privileged users can leverage a unified identity to access only those resources they need to perform their jobs.\nManaging privileged data\nPCI DSS 3.2 was released in late spring of 2016, and includes 12 major requirements spread across the following six PCI domains:\n\nBuild and maintain a secure network and systems\nProtect cardholder data\nMaintain a vulnerability management program\nImplement strong access-control measures\nRegularly monitor and test networks\nMaintain an information security policy\n\nSince the primary objective of PCI is to protect cardholder data, these requirements focus on user access to the servers that host this data, and the servers through which the data passes. The ability to implement privileged identity management helps ensure PCI DSS compliance in a number of different areas.\nOrganizations can leverage security controls to manage and limit privileged user access to PCI DSS systems and data. You can also help reduce PCI scope by isolating PCI resources, controlling user access, enforcing server-to-server communication policies that prevent access to PCI data untrusted servers, and encrypting PCI data throughout the network.\nMany organizations underestimate the danger of giving employees full administrative privileges simply to carry out everyday tasks. This access can significantly increase the risk of an attack, as well as the potential for a citation for PCI compliance violations.\nFor example, an internal or outsourced IT administrator making unauthorized system changes could unintentionally block antivirus or policy settings designed to protect servers transmitting cardholder data. That\u2019s why access to protected data should be granted only when absolutely required.\nEmploying least-privilege security policies means users are granted only the rights necessary to perform their daily jobs. These policies minimize the risk of a data breach, and help enterprises ensure PCI compliance.\nSupporting PCI compliance\nInstead of relying on complex scripting, proprietary databases, or expensive and fragile server architectures, IT can now control privileges using a single, unified architecture. This allows organizations to globally control access privileges to sensitive data in the cloud and in on-premises Windows, Linux, and UNIX servers.\nUsing a privileged identity management solution to implement and audit privileged user activity ensures individual accountability of privileged access while eliminating anonymous access altogether. For example, Centrify\u2019s privileged identity management solutions enable organizations to consolidate identities, deliver cross-platform least-privilege access, and control shared accounts while auditing all privileged sessions.\nIT can establish a least-privileged model with role-based access to individual commands, satisfying PCI DSS compliance requirements quickly and consistently on an ongoing basis. The enterprise can also benefit from central reports of \u201cwho accessed what resource\u201d and \u201cwhat did they do with that access.\u201d\nThe bottom line\nEnterprises can implement highly granular, role-based privilege management controls that let administrative users get their work done without unnecessary administrative overhead, while at the same time reducing compliance risks. IT can easily assign or revoke privileges, and the enterprise can document PCI DSS compliance through a single view of privileged access activity.\nThese methods allow enterprises to automatically leverage privileged identity management and monitoring while minimizing compliance overhead.\nFor more information about utilizing privileged identity management to support PCI compliance, download the Centrify white paper, Becoming PCI DSS Compliant.