The Payment Card Industry Data Security Standard (PCI DSS) was created to strengthen controls on cardholder data in order to reduce credit card fraud. PCI DSS provides an additional layer of protection for card issuers by requiring merchants to comply with minimal security levels when storing, processing, and transmitting cardholder data. The card brands and banks, which can impose stiff fines, penalties, and public disclosure, enforce the PCI standard—including the possibility of suspending payment card processing privileges.
Any business that accepts payment cards or processes card data must validate their PCI compliance with a yearly assessment. Rather than conducting a behemoth risk assessment annually, merchants should continuously check their compliance processes throughout the year—in other words, assess compliance as an ongoing element of business operations instead of as an annual event.
Proactively and automatically managing administrative privileges over credit card information is a critical step in addressing ongoing PCI DSS compliance challenges. This can be done efficiently by implementing a privileged identity management platform.
The role of privileged identity management
Simply put, the traditional approach of developing and enforcing user activity security policies tied to server operating systems and administrative domains is insufficient for securing payment information in today’s heterogeneous infrastructure. The modern enterprise is typically a diverse blend of on-premises and cloud infrastructure, often including Infrastructure-as-a-Service (IaaS) environments.
This new infrastructure creates a greater attack surface, in turn increasing the risk of stolen credit card data. IT must adopt a new approach to privileged identity management—one that aligns with the realities of hybrid computing in the modern enterprise.
Privileged identity management solutions help organizations more strictly control access to PCI information by tracking privileged user access to PCI data. IT can audit all privileged sessions, and privileged users can leverage a unified identity to access only those resources they need to perform their jobs.
Managing privileged data
PCI DSS 3.2 was released in late spring of 2016, and includes 12 major requirements spread across the following six PCI domains:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access-control measures
- Regularly monitor and test networks
- Maintain an information security policy
Since the primary objective of PCI is to protect cardholder data, these requirements focus on user access to the servers that host this data, and the servers through which the data passes. The ability to implement privileged identity management helps ensure PCI DSS compliance in a number of different areas.
Organizations can leverage security controls to manage and limit privileged user access to PCI DSS systems and data. You can also help reduce PCI scope by isolating PCI resources, controlling user access, enforcing server-to-server communication policies that prevent access to PCI data untrusted servers, and encrypting PCI data throughout the network.
Many organizations underestimate the danger of giving employees full administrative privileges simply to carry out everyday tasks. This access can significantly increase the risk of an attack, as well as the potential for a citation for PCI compliance violations.
For example, an internal or outsourced IT administrator making unauthorized system changes could unintentionally block antivirus or policy settings designed to protect servers transmitting cardholder data. That’s why access to protected data should be granted only when absolutely required.
Employing least-privilege security policies means users are granted only the rights necessary to perform their daily jobs. These policies minimize the risk of a data breach, and help enterprises ensure PCI compliance.
Supporting PCI compliance
Instead of relying on complex scripting, proprietary databases, or expensive and fragile server architectures, IT can now control privileges using a single, unified architecture. This allows organizations to globally control access privileges to sensitive data in the cloud and in on-premises Windows, Linux, and UNIX servers.
Using a privileged identity management solution to implement and audit privileged user activity ensures individual accountability of privileged access while eliminating anonymous access altogether. For example, Centrify’s privileged identity management solutions enable organizations to consolidate identities, deliver cross-platform least-privilege access, and control shared accounts while auditing all privileged sessions.
IT can establish a least-privileged model with role-based access to individual commands, satisfying PCI DSS compliance requirements quickly and consistently on an ongoing basis. The enterprise can also benefit from central reports of “who accessed what resource” and “what did they do with that access.”
The bottom line
Enterprises can implement highly granular, role-based privilege management controls that let administrative users get their work done without unnecessary administrative overhead, while at the same time reducing compliance risks. IT can easily assign or revoke privileges, and the enterprise can document PCI DSS compliance through a single view of privileged access activity.
These methods allow enterprises to automatically leverage privileged identity management and monitoring while minimizing compliance overhead.
For more information about utilizing privileged identity management to support PCI compliance, download the Centrify white paper, Becoming PCI DSS Compliant.