This is the first entry of an ongoing series on meeting Payment Card Industry (PCI) Data Security Standard (DSS) Requirement 8 compliance. Being prepared for regulatory compliance is critical for every company that processes credit card data.
Beyond the need to protect corporate assets and customer data, enterprises in many industries must adhere to industry regulations that are designed to protect customer data and privacy. Any company that processes credit card data must comply with the PCI DSS. PCI standards ensure companies accepting, processing, storing, and transmitting credit card data maintain a secure environment.
PCI Requirement 8 compliance and best practices
PCI Requirement 8 compliance applies to point-of-sale (POS) system accounts with administrative capabilities and all accounts that view and access cardholder data, or access systems with cardholder data, including vendors and third parties. Unique IDs are required for all users to access system components. This means a company’s IT infrastructure must identify and validate all users connecting to its systems, and be able to control, trace, and report on their access and actions.
Requirements for PCI Requirement 8 compliance centers around system access, such as having programmatic methods for accessing databases, password management, and authentication that includes two-factor authentication for remote users.
While PCI requirements for the credit card industry identify controls for handling and protecting cardholder data, they fit perfectly within the wheelhouse of identity and access management (IAM) best practices. These best practices apply to any organization that needs to have a strong risk avoidance and security posture. Furthermore, compliance with PCI Requirement 8 represents good general security hygiene and appropriate key performance indicators for risk mitigation.
Identity management controls confirm the identity of the user, to ensure their validity. Policies are used to enforce controls for the ID lifecycle. An example of an identity’s lifecycle could be a customer service representative at a credit card company. This individual will have their unique ID assigned, with their role in the company, the customer(s) they are authorized to work with, and access to certain sets of data. When they leave the company, the accounts are de-provisioned and/or access permissions updated, disabling all access to company systems.
Companies that process, store and transmit cardholder data must understand the requirements set forth in the PCI standard, or they may face stiff financial penalties. The fines for being non-PCI compliant can be up to $500,000. However, the cost of remediation from a breach and the potential brand damage can far outweigh the fines associated with being non-compliant. The PCI requirements to protect cardholder data are in place to safeguard both the cardholder and the companies that handle their information. Understanding the risk exposure is one thing. But knowing how to mitigate the risk is vital for any company to be successful.
Stay tuned to this series as we address the subsections of PCI Requirement 8 compliance, and learn how IDaaS addresses each of them to help you protect your business, and comply with the requirements for the information security standard.
Shawn Keve is responsible for sales, business development, channel partners and marketing at Simeio. He played a key role in growing the business 20 times, making Simeio one of the fastest growing companies in North America.
Previously, Shawn was Consulting Director at Oracle and Director of Professional and Managed Services for Sun Microsystems (prior to Oracle’s acquisition of Sun), where he was responsible for the sales and delivery of a $100M portfolio of IT services. Before joining Sun, he held leadership roles at Netscape (acquired by AOL), KPMG Consulting, and MIT Lincoln Laboratory.
Shawn has over 22 years of experience servicing clients in the strategy, architecture, design and implementation of enterprise solutions across several industries, including financial services, healthcare, life sciences, manufacturing, media & entertainment, telecommunications and retail. He holds a Bachelor of Science degree in Business Administration (Management Information Systems) from Northeastern University.