Privileged Access Management Helps Meet PCI DSS Requirements

By Clango

A data breach exposing cardholder data can be devastating. In addition to the cost of breach response, notification of affected customers, legal fees, fines, and penalties, merchants face customer churn and tarnished reputations. That’s why Payment Card Industry Data Security Standard (PCI DSS) compliance is more important than ever.

Though PCI DSS compliance will not prevent a security breach, it has been shown to help protect payment systems from the theft of cardholder data.

However, the Verizon 2018 Payment Security Report finds that full compliance with PCI DSS has dropped for the first time in six years. In 2017, only 52.5 percent of organizations were fully compliant, compared to 55.4 percent in 2016. That’s alarming in light of the ever-growing security threats that organizations face today.

PCI DSS consists of 12 requirements that incorporate technical, physical, and policy-based controls. A number of these requirements, listed below, involve user access to systems and the protection of user credentials and other “secrets” within an IT environment.

• Do not use default system settings. Before adding a system to the network, disable or remove unnecessary default accounts and change default passwords.
• Encrypt all administrative access through browser-based management tools. Do not store authentication data, even if it’s encrypted.
• Encrypt cardholder data in transit and at rest and protect encryption keys.
• Implement strong access controls through authentication mechanisms. Access should be limited to individuals whose job function requires it.
• Ensure all users have unique credentials for accessing systems and data. Encrypt passwords.
• Implement multifactor authentication for remote access to systems and the network.
• Regularly monitor and track access and invalid access attempts.
• Maintain a detailed audit trail of all privileged access and secure it so it cannot be modified.
• Maintain an information security policy that addresses the responsibilities of all personnel.

The emphasis on user access generally and privileged accounts specifically is hardly surprising. A cybercriminal who is able to obtain privileged account credentials could gain the highest levels of access to systems, data, and security controls. Attackers could steal or manipulate cardholder data and modify systems and audit trails to cover their tracks. A component of CyberArk suite, Privilege Threat Analytics (PTA), can regularly monitor privilege access patterns and alert on anomalous access behaviors.

Clango’s CyberArk Certified Delivery Engineers can help organizations achieve and maintain PCI DSS compliance through the use of CyberArk’s Core Privileged Access Security solution. This solution features the Enterprise Password Vault, a highly secure repository for storing privileged account credentials and encryption keys. The vault also provides granular access controls and enables automatic rotation of credentials and encryption keys.

Enterprise Password Vault further aids in PCI DSS compliance by maintaining a detailed audit trail of privileged access. Clango builds on that with its CyberArk Analytics Reporting Tool (CART), a web-based interface that enables security and audit teams to view, search, analyze, and report on the data stored in the vault. CART’s familiar spreadsheet paradigm makes it easy for business users to sort and filter data and run complex queries. Prebuilt reports can be cloned and modified to meet a wide range of business, IT, and compliance requirements.

If your organization is struggling to maintain full PCI DSS compliance, we invite you to contact Clango for a confidential consultation. Let us help you develop a payment card security strategy incorporating CyberArk privileged access management and our easy-to-use reporting tool.