PAM Solution and PCI Data Security Standard (DSS) 3.2

By Yanni Shainsky • June 17, 2016

If you’re reading this blog, chances are, it’s your responsibility to understand and enforce your organization’s compliance with the latest PCI Data Security Standards. With the release of PCI DSS version 3.2, the PCI Security Standards Council General Manager Stephen Orfei explained that “PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.” Privileged accounts and their management is the central point of where people, process, policy, technology, and security converge. It is no surprise then that the PCI DSS 3.2 standards spend much of their time stressing the importance of protecting privileged accounts.

A key change in the PCI DSS 3.2 standard is the requirement to implement multi-factor-authentication for administrators accessing cardholder data (CDE).  As Troy Leach, the Chief Technology Officer of PCI, explained “Multi-factor authentication requires two or more technologies to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric. Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data so that a password alone is not enough to verify the user’s identity and grant access to sensitive information.”

The reality is that it can be a daunting task to implement Multi-Factor-Authentication on legacy CDE systems. For one thing, there may be dozens, if not hundreds of various systems that are cross-integrated together, and implementing MFA on all of them would be a monumental task. One solution is to implement an enterprise PAM Solution, which would require an MFA login, and would act as a gateway to the CDE. For example with a mature PAM Solution, such as CyberArk, an organization would require all administrators to log into CyberArk with their MFA credentials, and then connect via CyberArk’s Privileged Session Manager (PSM), which is a type of jump server, to the target CDE. The target CDE would simply have to require that all access comes from the PSM via firewall rules, quickly solving the MFA. In addition, a mature PAM solution can at the same time address other key aspects of the PCI DSS 3.2 requirement, such as:

  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access system components
  • Requirement 10: Track and monitor all access to network resources and cardholder data

CyberSheath can help you understand and meet your compliance objectives and requirements, contact us today.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.