The goal of the Payment Card Industry Data Security Standard (PCI) is to protect cardholder information from abuse. While the standard does not make any technology recommendations, its requirements line up with best practices for how payment card information should be handled, communicated, and stored in order to sufficiently secure it.
Most people find that there are a number of solutions, appliances, and tools available to protect cardholder information as it is sent over data lines and stored on a database server. Attackers who are seeking to steal this information are well aware that these two areas are well-protected, so they go after the one source that is more susceptible to a breach – the user and their accounts.
In order to make sure that you are protecting how the payment card information your business collects is properly secured, you need to make identity management a foundation of your PCI compliance program.
Why identity management matters
The handling of payment card information is a tricky area when it comes to security because there are two fundamental questions that need to be answered:
How do you restrict access to card data to only the people who need to see it?
How do you ensure that the person on the other end of that authorized account is who they say they are?
Let’s look at each of these questions individually to see just how identity management solutions help reduce fraud.
For your eyes only
The PCI standards are very clear that not everyone should have access to cardholder data by including the statement, “Restrict access to data by business need-to-know” in section seven. Policies can be put in place to govern that, but all it takes is one malicious insider to steal all that data. Not only does a rogue employee pose a threat, but think about how easy it is for someone to mistakenly share or expose confidential cardholder information if it is not locked down securely. If your PCI compliance is built on a solid identity management platform, these risks are greatly reduced because these solutions make it much easier to control and audit access to systems, applications, folders, and even network resources that house this type of information.
Who’s really there?
When attackers want to get into a system, they know that all it takes is for one user to click on a weaponized link in an email, and they can own that account. Even if they aren’t able to compromise a user with access to cardholder data, they can start a lateral attack that will eventually get them the privileges they need.
Again, identity management solutions address this issue. Using multi-factor authentication features, much more than just a username and password is required to access any confidential data on your network, especially cardholder information. By requiring users to provide something they know (knowledge), something they have (possession), and something they are (inherence), you are adding an additional layer of protection against compromised user accounts that could end up saving your company’s reputation. Adaptive authentication takes this one step further and changes the authentication requirements based on how sensitive or important the data is.
Since version 1, PCI DSS guidelines have required that all remote access to cardholder data by standard users, administrative users, and vendors requires multi-factor authentication. PCI DSS version 3.2 released in April 2016 takes this one step further and requires multi-factor authentication for admin-level access to cardholder data even within a local secure network.
Without identity management serving as the foundation of your PCI compliance efforts, you leave the door open to the most commonly compromised asset: your users.