This is the first entry of an ongoing series on meeting Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 8 compliance. Being prepared for regulatory compliance is critical for every company that processes credit card data.
Beyond the need to protect corporate assets and customer data, enterprises in many industries must adhere to industry regulations that are designed to protect customer data and privacy. Any company that processes credit card data must comply with the PCI DSS. PCI standards ensure companies accepting, processing, storing, and transmitting credit card data maintain a secure environment.
PCI Requirement 8 compliance and best practices
PCI Requirement 8 compliance applies to point-of-sale (POS) system accounts with administrative capabilities and all accounts that view and access cardholder data, or access systems with cardholder data, including vendors and third parties. Unique IDs are required for all users to access system components. This means a company’s IT infrastructure must identify and validate all users connecting to its systems, and be able to control, trace, and report on their access and actions.
Requirements for PCI Requirement 8 compliance centers around system access, such as having programmatic methods for accessing databases, password management, and authentication that includes two-factor authentication for remote users.
While PCI requirements for the credit card industry identify controls for handling and protecting cardholder data, they fit perfectly within the wheelhouse of identity and access management (IAM) best practices. These best practices apply to any organization that needs to have a strong risk avoidance and security posture. Furthermore, compliance with PCI Requirement 8 represents good general security hygiene and appropriate key performance indicators for risk mitigation.
Identity management controls confirm the identity of the user, to ensure their validity. Policies are used to enforce controls for the ID lifecycle. An example of an identity’s lifecycle could be a customer service representative at a credit card company. This individual will have their unique ID assigned, with their role in the company, the customer(s) they are authorized to work with, and access to certain sets of data. When they leave the company, the accounts are de-provisioned and/or access permissions updated, disabling all access to company systems.
Companies that process, store and transmit cardholder data must understand the requirements set forth in the PCI standard, or they may face stiff financial penalties. The fines for being non-PCI compliant can be up to $500,000. However, the cost of remediation from a breach and the potential brand damage can far outweigh the fines associated with being non-compliant. The PCI requirements to protect cardholder data are in place to safeguard both the cardholder and the companies that handle their information. Understanding the risk exposure is one thing. But knowing how to mitigate the risk is vital for any company to be successful.
Stay tuned to this series as we address the subsections of PCI Requirement 8 compliance, and learn how IDaaS addresses each of them to help you protect your business, and comply with the requirements for the information security standard.