Skip to main content

Skillber v1.0 is here!

Learn more

PCI DSS

Checking access...

The Payment Card Industry Data Security Standard (PCI DSS) is a contractual security standard that applies to any organisation that stores, processes, or transmits cardholder data. PCI DSS v4.0 (effective March 2024) introduces significant changes to IAM requirements, including more prescriptive access control and authentication controls.

PCI DSS Requirements Map to IAM

PCI DSS Req.TitleIAM Focus Area
Req. 7Restrict access to cardholder data by business need-to-knowAccess control policy, RBAC, need-to-know
Req. 8Identify users and authenticate access to system componentsUnique IDs, MFA, password management
Req. 9Restrict physical access to cardholder dataPhysical access control, visitor management
Req. 10Log and monitor all access to network resources and cardholder dataAudit logging, SIEM integration
Req. 12Support information security with organisational policies and programsSecurity awareness, risk assessment, access review

Requirement 7 — Access Control

PCI DSS v4.0 Sub-RequirementIAM Control
7.2.1Access control systems grant access based on job classification and function
7.2.2Access is granted using least privileges
7.2.4All access to CDE systems/applications is reviewed every 6 months
7.2.5Access for terminated users is immediately revoked
7.3.1CDE user accounts are managed through an access control system
7.3.2CDE accounts support and enforce least privilege
7.3.3All user access is authorised before provisioning

Requirement 8 — Authentication

PCI DSS v4.0 Sub-RequirementIAM Control
8.3.1MFA implemented for all non-console admin access to CDE
8.3.2MFA implemented for all remote access to CDE
8.3.3MFA implemented for all remote access originating from outside the entity’s network
8.4.1MFA systems are managed to prevent misuse
8.5.1Passwords and passphrases meet defined complexity and length
8.6.1Users authenticate before accessing the CDE
8.6.2User identity is verified before modifying authentication factors
8.6.3All user account changes are logged

PCI DSS v4.0 New IAM Requirements

v4.0 introduces several new requirements that significantly impact IAM programs:

New Requirementv4.0 Effective DateIAM Action Required
7.2.4 — Access reviews every 6 monthsMarch 2025Implement automated certification campaigns with 6-month frequency
8.3.1 — MFA for all non-console admin accessMarch 2024MFA enrolment for all administrative users
8.6.1 — Users authenticate before accessing CDEMarch 2025Implement session authentication validation
8.6.2 — Identity verification for auth factor changesMarch 2025Out-of-band verification for MFA token changes
10.4.2.1 — Automated logging of all access to CDEMarch 2025SIEM integration with automated log collection

Cardholder Data Environment (CDE) Access Control

Defining the CDE

The CDE includes:

  • Systems that store, process, or transmit cardholder data
  • Systems that connect to or support CDE systems
  • Network segments that contain CDE systems
  • Administrative workstations that manage CDE systems

Tip

Use network segmentation to reduce the scope of PCI DSS. A well-segmented CDE means IAM controls only need to apply to a limited set of systems rather than the entire enterprise. Each system excluded from CDE scope must be justified with documented network segmentation controls.

CDE Access Control Architecture

┌─────────────────────────────────────────────────────┐
│ Enterprise Network │
│ │
│ ┌───────────────────────────────────────────────┐ │
│ │ CDE - Cardholder Data Environment │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ Payment │ │ Token │ │ Card │ │ │
│ │ │ Gateway │ │ Vault │ │ Data DB │ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────┐ │ │
│ │ │ PAM Gateway (Session Proxy) │ │ │
│ │ └──────────────────────────────────────────┘ │ │
│ └───────────────────────────────────────────────┘ │
│ │
│ ┌───────────────────────────────────────────────┐ │
│ │ Admin Access (JIT through PAM) │ │
│ │ - MFA required │ │
│ │ - Session recording │ │
│ │ - Approval workflow for elevated access │ │
│ └───────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘

PCI DSS Access Review

Requirement 7.2.4 — Access Reviews Every 6 Months

PCI DSS v4.0 specifically requires that all access to CDE systems and applications be reviewed every 6 months. This is an explicit requirement, not a recommendation.

Access Review ElementRequirementImplementation
FrequencyEvery 6 monthsSet certification campaigns with 6-month recurrence
ScopeAll user accounts with CDE accessInclude application, system, and service accounts
ReviewerSystem owner, data owner, or authorised managerEach CDE system must have a designated owner
EvidenceSigned/dated review reportDigital signatures or audit-approved electronic records
Privileged accessSeparate review track for privileged usersInclude PAM review as part of certification

Service Account Management for PCI

Service accounts in the CDE present a particular challenge because they cannot use individual credentials (no interactive login). PCI DSS v4.0 addresses this:

Service Account RequirementImplementation
Unique IDs for each service accountNo shared service accounts in CDE
Passwords changed at least every 6 monthsAutomated password rotation
MFA alternatives (certificate-based)Certificate-based authentication with automated renewal
Documented business justificationService account inventory with business case
Access reviewed every 6 monthsInclude service accounts in access review scope

PCI DSS Logging and Monitoring

Requirement 10 — Log and Monitor Access

Audit Log ElementPCI DSS RequirementIAM Data Source
User identification10.3.1Authentication logs, session records
Event type10.3.2Access type (login, create, modify, delete)
Date and time10.3.3Timestamp from authoritative time source
Success/failure indication10.3.4Authentication success/failure, access grant/deny
Origination10.3.5Source IP, device ID, geolocation
Identity of affected data10.3.6Cardholder data access events

Key Takeaways

  • PCI DSS v4.0 introduces significant new IAM requirements effective March 2024-2025 — including mandatory MFA for all non-console admin access, 6-month access reviews, identity verification for authentication factor changes, and automated logging of all CDE access
  • Requirement 7 mandates that access to cardholder data is restricted by business need-to-know using least privilege — implement RBAC or ABAC for CDE systems and enforce with PAM for privileged access
  • Requirement 8 requires unique IDs for every user in the CDE, MFA for all non-console admin and remote access, and password policies meeting defined complexity standards — service accounts must also have unique IDs with 6-month password rotation
  • Network segmentation reduces PCI scope — only systems in the Cardholder Data Environment (CDE) require full PCI DSS compliance, and JIT access through a PAM gateway is the recommended architecture for CDE administration
  • Service accounts in the CDE present special challenges: no shared accounts, automated password rotation every 6 months, documented business justification, and inclusion in 6-month access reviews
  • PCI DSS logging (Requirement 10) requires user identification, event type, timestamp, success/failure status, origination IP, and affected data identity for all CDE access events