PAM Solution and PCI Data Security Standard (DSS) 3.2

By Yanni Shainsky • June 17, 2016

If you’re reading this blog, chances are, it’s your responsibility to understand and enforce your organization’s compliance with the latest PCI Data Security Standards. With the release of PCI DSS version 3.2, the PCI Security Standards Council General Manager Stephen Orfei explained that “PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.” Privileged accounts and their management is the central point of where people, process, policy, technology, and security converge. It is no surprise then that the PCI DSS 3.2 standards spend much of their time stressing the importance of protecting privileged accounts.

A key change in the PCI DSS 3.2 standard is the requirement to implement multi-factor-authentication for administrators accessing cardholder data (CDE).  As Troy Leach, the Chief Technology Officer of PCI, explained “Multi-factor authentication requires two or more technologies to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric. Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data so that a password alone is not enough to verify the user’s identity and grant access to sensitive information.”

The reality is that it can be a daunting task to implement Multi-Factor-Authentication on legacy CDE systems. For one thing, there may be dozens, if not hundreds of various systems that are cross-integrated together, and implementing MFA on all of them would be a monumental task. One solution is to implement an enterprise PAM Solution, which would require an MFA login, and would act as a gateway to the CDE. For example with a mature PAM Solution, such as CyberArk, an organization would require all administrators to log into CyberArk with their MFA credentials, and then connect via CyberArk’s Privileged Session Manager (PSM), which is a type of jump server, to the target CDE. The target CDE would simply have to require that all access comes from the PSM via firewall rules, quickly solving the MFA. In addition, a mature PAM solution can at the same time address other key aspects of the PCI DSS 3.2 requirement, such as:

  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access system components
  • Requirement 10: Track and monitor all access to network resources and cardholder data

CyberSheath can help you understand and meet your compliance objectives and requirements, contact us today.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO