PAM Solution and PCI Data Security Standard (DSS) 3.2

By Yanni Shainsky • June 17, 2016

If you’re reading this blog, chances are, it’s your responsibility to understand and enforce your organization’s compliance with the latest PCI Data Security Standards. With the release of PCI DSS version 3.2, the PCI Security Standards Council General Manager Stephen Orfei explained that “PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.” Privileged accounts and their management is the central point of where people, process, policy, technology, and security converge. It is no surprise then that the PCI DSS 3.2 standards spend much of their time stressing the importance of protecting privileged accounts.

A key change in the PCI DSS 3.2 standard is the requirement to implement multi-factor-authentication for administrators accessing cardholder data (CDE).  As Troy Leach, the Chief Technology Officer of PCI, explained “Multi-factor authentication requires two or more technologies to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric. Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data so that a password alone is not enough to verify the user’s identity and grant access to sensitive information.”

The reality is that it can be a daunting task to implement Multi-Factor-Authentication on legacy CDE systems. For one thing, there may be dozens, if not hundreds of various systems that are cross-integrated together, and implementing MFA on all of them would be a monumental task. One solution is to implement an enterprise PAM Solution, which would require an MFA login, and would act as a gateway to the CDE. For example with a mature PAM Solution, such as CyberArk, an organization would require all administrators to log into CyberArk with their MFA credentials, and then connect via CyberArk’s Privileged Session Manager (PSM), which is a type of jump server, to the target CDE. The target CDE would simply have to require that all access comes from the PSM via firewall rules, quickly solving the MFA. In addition, a mature PAM solution can at the same time address other key aspects of the PCI DSS 3.2 requirement, such as:

  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access system components
  • Requirement 10: Track and monitor all access to network resources and cardholder data

CyberSheath can help you understand and meet your compliance objectives and requirements, contact us today.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security