Mobile Search Mobile Menu
Shawn Keve
November 18th, 2019

This is the second article in an ongoing series on PCI DSS Requirement 8 compliance. When we see the ongoing stream of news reports on cybersecurity breaches, we understand cybersecurity is a growing concern for every business and their supporting IT organization(s). 

PCI Requirement 8 for the credit card industry identifies controls for handling and protecting cardholder data. Risk can be mitigated by using identity and authentication services that apply verified unique IDs to every user. This capability identifies and holds responsible those engaged in malicious activity and data breaches. 

Identity as a Service, or IDaaS, provides authentication and identity management (e.g. identity proofing and verification, registration, setting access permissions) delivered as a service. It ensures all users are who they claim to be, authenticating and authorizing access to applications, information, files, databases and network resources in a controlled and auditable manner. Using the credit card employee example, IDaaS automates the entire lifecycle of the employee’s ID, from onboarding and assigning access rights, to final off-boarding. 

Not all IDaaS are created equal, but a full-featured IDaaS will securely connect to systems of record (e.g. HRIS, corporate directory) and, based upon policies, automatically assign access to the appropriate systems or trigger the appropriate approval task when a user requests access to a system or data set. The IDaaS solution can connect to multiple systems and automatically provision the employee ID with access to those systems. If that customer service representative gets reassigned to a different customer, the IDaaS solution automatically re-assigns access and removes access to previous customer information.

How IDaaS works in a nutshell

As I mentioned, not every IDaaS offering enables the same capabilities. With that said, when the employee is hired, the administrator simply logs into the HRIS or the IDaaS service portal to assign the employee’s information and ID, which in turn, authorizes access to the appropriate customers, data, systems, etc. The IDaaS platform uses connectors to applications, systems, and resources, and automatically enforces the PCI compliance policies. When that employee leaves the company, human resource personnel enter their information into the HR system. Based on the identity lifecycle information and access control policies, the employee ID, and all that is associated with it, is automatically de-provisioned, so they no longer have access to the company’s systems. 

The IDaaS solution manages and enforces the right access governance policies, and automates access. The report information provided is highly valuable when preparing an audit, with traceable evidence that the proper controls are in place and documented for all users.

Achieving PCI Requirement 8 compliance without IDaaS will be challenging

Without an IDaaS solution, this process will be manual, and potential problems can develop. Errors can go undetected and unauthorized access can be granted without appropriate visibility, oversight, and auditability. In this case, at the time of hiring, the human resource manager will add the new employee into their HR system. Then, the hiring manager will need to open a number of service desk ticket requests to have IT and/or Application Owners assign access to various systems and applications, like customer relationship management (CRM). If that employee is reassigned to a different customer, moves into another department altogether, or leaves the company, every system they had access to, will need to be manually updated. Unfortunately, these manual updates don’t always happen, posing a serious security risk should the employee (or an imposter) engage in malicious activities with these credentials. 

Stay tuned to this series as we address the sub-requirements of PCI Requirement 8 compliance, and learn how IDaaS addresses each of them to help you protect your business, and comply with the mandate for the information security standard.