DSS: PAM as the answer to fundamental PCI DSS requirements

What is The Payment Card Industry Data Security Standard (PCI DSS)? It’s a worldwide information security standard for all organizations that process credit cardholder information. Since Visa first rolled out its Cardholder Information Security Program (CISP) in 2001, organizations that manage cardholder data have been given detailed guidelines for securing their infrastructure and ultimately the payment data they manage.

While the PCI DSS requirements aren’t new, organizations’ technological environments and the threats have changed dramatically in recent years. Further, the industry’s guidelines continue to evolve! The most recent release of PCI DSS, version 3.2, taking effect in July 2018.

With 12 requirements and 200 sub-requirements, PCI DSS compliance focuses on topics such as:

  • maintaining a secure network
  • vulnerability management
  • access control measures

The PCI DSS has rules on everything – from changing employee passwords regularly to deploying firewalls. Many rules focus on the security of cardholder data and the systems used to manage it. Privileged accounts and their management is the central pointof which converge people, process, policy, technology, and security. It’s no surprise then that the PCI DSS 3.2 standards spend much of time stressing the importance of protecting privileged accounts.

A key change in the PCI DSS 3.2 standard is the requirement to implement multi-factor authentication. Mostly for administrators accessing cardholder data (CDE).  As Troy Leach, the Chief Technology Officer of PCI, explained “Multi-factor authentication requires two or more technologies to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase. Something you have, such as a token or smart card. Or something you are, such as a biometric. Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information.”

MFA Reality

The reality is that it can be a daunting task to implement Multi-Factor-Authentication on legacy CDE systems.

For one thing, there may be dozens, if not hundreds of various cross-integrated systems. And also implementing MFA on all of them would be a monumental task. One solution is to implement an enterprise Privileged Account Management (PAM) solution, which would require an MFA login, and would act as a gateway to the CDE.

Through a complete PAM solution, such as Fudo PAM, an organization would require all administrators to log into Fudo’s central hub using their MFA credentials (either using either built-in strong authentication mechnisms or integrated with external authentication systems), and then connect via Fudo Privileged Session Manager (PSM) to the target CDE. Even if the CDE asset doesn’t support any kind of MFA, they will meet the PCI DSS requirement. The target CDE would simply have to require that all access comes from the PSM via firewall rules, quickly solving the MFA question. It also makes sure that all sessions are duly recorded and provide rigid documentation of all critical operations on CDE.

Are you interested in a demo of Fudo Security solution?

Visit our website and schedule it here.