PAM Solution and PCI Data Security Standard (DSS) 3.2
If you’re reading this blog, chances are, it’s your responsibility to understand and enforce your organization’s compliance with the latest PCI Data Security Standards. With the release of PCI DSS version 3.2, the PCI Security Standards Council General Manager Stephen Orfei explained that “PCI DSS 3.2 advocates that organizations focus on people, process and policy, with technology playing an important role in reducing the overall cardholder data footprint.” Privileged accounts and their management is the central point of where people, process, policy, technology, and security converge. It is no surprise then that the PCI DSS 3.2 standards spend much of their time stressing the importance of protecting privileged accounts.
A key change in the PCI DSS 3.2 standard is the requirement to implement multi-factor-authentication for administrators accessing cardholder data (CDE). As Troy Leach, the Chief Technology Officer of PCI, explained “Multi-factor authentication requires two or more technologies to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric. Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data so that a password alone is not enough to verify the user’s identity and grant access to sensitive information.”
The reality is that it can be a daunting task to implement Multi-Factor-Authentication on legacy CDE systems. For one thing, there may be dozens, if not hundreds of various systems that are cross-integrated together, and implementing MFA on all of them would be a monumental task. One solution is to implement an enterprise PAM Solution, which would require an MFA login, and would act as a gateway to the CDE. For example with a mature PAM Solution, such as CyberArk, an organization would require all administrators to log into CyberArk with their MFA credentials, and then connect via CyberArk’s Privileged Session Manager (PSM), which is a type of jump server, to the target CDE. The target CDE would simply have to require that all access comes from the PSM via firewall rules, quickly solving the MFA. In addition, a mature PAM solution can at the same time address other key aspects of the PCI DSS 3.2 requirement, such as:
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access system components
- Requirement 10: Track and monitor all access to network resources and cardholder data
CyberSheath can help you understand and meet your compliance objectives and requirements, contact us today.