PCI control over access: 4 steps to compliance

By providing visibility and control of corporate access and data, IS Decisions software solutions help companies ensure compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). 

In this article we’ll focus on how to get compliant by strengthening PCI control over access with need-to-know restrictions, multi-factor authentication, enhanced monitoring and detailed reporting.

What is PCI DSS?

The Payment Card Industry Security Standards Council (PCI SCC) determines and regulates the PCI DSS standards. The PCI DSS standard is a set of security standards with the goal to “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information.

In other words, the standard exist to make stealing identities difficult by protecting the personally identifiable information (PII) necessary to make consumer transactions by credit, debit or cash cards.

PCI DSS compliance requirements

Simply put, PCI DSS controls follow common sense steps that mirror best security practices. It applies to all entities that store, process, and/or transmit cardholder data. The standards promote security as a continuous process, shifting away from time-based audits to continuous security auditing and reporting.

For an overview of the most up-to-date PCI Security standards, here’s the PCI DSS v4.0 Quick Reference Guide

Implementing strong PCI access control measures

The new standards recognize the critical role of Identity and Access Management (IAM) and multi-factor authentication (MFA) in safeguarding cardholder data, aligning with the NIST guidance on digital identities for authentication and life-cycle management.

1. Restrict access by “need-to-know”

PCI Requirement 7: Restrict access to cardholder data by business need-to-know

“To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities”.

Restricting Access is therefore crucial!

• Restrict access to Cardholder Data Environments employing access control measures such as RBAC (Role-Based Access Control).

• Limit access to only those individuals whose job requires such access. Vendor or third-party accounts may be enabled only as needed and monitored when in use.

• Formalize an access control policy that includes a list of who gets access to specified cardholder data.

• Deny all access to anyone who is not specifically allowed to access cardholder data.

• Review access privileges at least once every six months.

With UserLock (security for network access) and FileAudit (security for file access) you can instantly identify and remediate any access attempts that are not in line with your security and compliance policies.

UserLock protects access to your data across Windows-based networks and cloud applications. You can restrict and control access to the network through user logons according to customized user access policies. Working in an innovative interface, you simply specify rules according to user, user group or organizational unit and session type and rely on UserLock to automatically control the “when”, “where” and “how long” your users access resources on your network.

FileAudit protects all file servers in their Windows environment or in the cloud by monitoring, archiving and reporting on all file access (and access attempts) to all files and folders. By constantly examining and recording read/write/delete access (or access attempts), file ownership changes and permission modifications, IT can immediately address any inappropriate accesses.

2. Identify users with a unique ID

PCI Requirement 8: Assign a unique ID to each person with computer access

“Assigning a unique identification to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, know and authorized users.” 

Logins are the first line of defense in protecting data on a Windows network. By preventing concurrent logins, we can ensure access is attributed to an individual employee. Preventing concurrent logins also makes it impossible for a rogue user to use valid credentials at the same time as the legitimate owner and also decreases the likelihood of users sharing passwords as it impacts their own ability to access the network.

Concurrent logins can only be prevented securely with UserLock, ensuring you can identify all users connected to your network environment and deny rogue users who attempt to access the network using shared passwords.

3. Authenticate access with MFA

PCI Requirement 8.4.2: This is a new requirement to implement MFA for all access into the cardholder data environment (CDE). One of the major updates in PCI DSS v.4.0 is the implementation of MFA every time, for all accounts that have access to cardholder data, not just administrators.

PCI Requirement 8.5.1: Also a new requirement, this concerns secure implementation of MFA systems.

MFA will need to be in place to protect system components, such as:

• Servers

• Cloud environments

• On-premise applications

• Workstations

• Servers

• Network security devices

• Hosted systems

• Endpoints

These MFA requirements will be considered as best practices until March 31, 2025. After that date, MFA will be fully considered during a PCI DSS assessment.

UserLock MFA makes it easy to enable MFA on all connections, in all conditions. With our granular, non-disruptive MFA, you can verify the identity of all Active Directory accounts and secure access to network and cloud services.

4. Regularly monitor and test networks

PCI Requirement 10: Track and Monitor all access to network resources and cardholder data

“Organizations must track and monitor all access to cardholder data and related network resources — in stores, regional offices, headquarters and other remote access.”

Both UserLock and FileAudit offer extensive reporting to help your company show proof of compliance during PCI DSS controls and other regulatory audits.

Having set and implement your access control policy to restrict and manage users access to the network, UserLock continuously monitors all login and session events, and reports on network access in real-time with detailed, graphical dashboards and alerts. Authorized users across the network are tracked according to session type (workstations, terminal, interactive, Wi-Fi, VPN) to ensure all the network is protected and visibility achieved.

Customized reports according to multiple criteria ensures security for auditing and regulatory compliance. By centralizing and archiving all file access events occurring on one or several Windows systems, FileAudit ensures an always-available, searchable and secure audit trail is achieved.