Identity Controls for PCI DSS

PCI DSS governs how organizations that handle payment card data protect it, and several of its requirements are squarely about identity. PCI DSS 4.0 raised the bar on authentication in particular. This maps the identity-relevant requirements to practice.

What PCI DSS expects of identity

• Requirement 7: restrict access to cardholder data by business need to know, with role-based access and least privilege.
• Requirement 8: identify and authenticate access. PCI DSS 4.0 expands MFA, requires it for all access into the cardholder data environment (CDE), and tightens password and credential rules.
• Requirement 8.6: application and system accounts (non-human identities) must be managed, with credentials protected and not hardcoded.

What good looks like

• MFA for all access to the CDE, including administrative and remote access, ideally phishing-resistant.
• Role-based access (RBAC) scoped tightly to the CDE, with documented business justification.
• Secrets management for application and service accounts so credentials are vaulted and rotated, never hardcoded.
• Privileged access controls with logging for anyone administering the environment.

Common pitfalls

• Treating MFA as satisfied by a single factor plus a password reset question.
• Shared admin accounts into the CDE with no individual attribution.
• Hardcoded application credentials, a direct 8.6 failure and a real breach risk.

Related

IAM audit preparation. Vendors: MFA, secrets, PAM.