Using PAM to Meet PCI-DSS Requirements

More than a quarter of all cyberattacks are aimed at financial systems – more than any other vertical. In 2019, Capital One, Desjardins, First American Financial, Westpac, and even the Bulgarian National Revenue Agency have all been the victims of successful cyberattacks, and there is no reason to think that such attacks will lessen.

Financial systems are particularly attractive targets to hackers since they are potentially high-reward targets with little in the way of risk for the hackers. On the reward side, account information and credit card numbers can be stolen and resold on the black market, or else used directly. As for the risks? Ask yourself how many successful attacks you’ve heard about over the last six months – and then try and recall how many arrests of cybercriminals you’ve heard of in the same time period.

And along with the reward for hackers comes the costs for the victims. The average cost to a business after a successful cyberattack is $13 million, which can devastate the bottom line – but even more devastating can be the effects on the individual victims, whose bank accounts can be emptied, credit cards run-up, and credit ratings destroyed.

Of course, the onus is on companies to ensure that their infrastructure is secure, which can be difficult given the number of systems (ATMs, databases, mainframes…) which must interact in near real-time, and the number of admins and IT personnel who must have privileged access to ensure that these systems are always running properly. What’s more, organizations in all sectors are subject to regulatory standards which aim to enforce a minimum standard of security for the public’s financial data. Fortunately, the PCI DSS standards help ensure cybersecurity – and Privileged Access Management (PAM) can help ensure that many of the PCI DSS requirements are met.

How Privileged Access Management addresses PCI DSS Requirements

• Requirement: Vendor-supplied defaults must not be used for system or admin passwords.
  A strong PAM solution will have password management controls built-in, allowing for rule creation and enforcement (e.g., default passwords must be changed) as well as forced rotation of passwords and keys. Vitally, a strong solution will enforce these controls not only for human users but also for application-to-application passwords and keys.
• Requirement: Access to payment cardholder data is restricted to those with a business need to know.
  In other words, cardholder data is privileged information, and should only be accessible to users with the appropriate privileges. Of course, guaranteeing that sensitive resources are only accessed by the proper users is at the heart of PAM. A strong PAM solution will not only meet this PCI DSS requirement but exceed it, by making sure that users are not only granted appropriate privileges but also that the circumstances of their access attempt meets defined rules.
• Requirement: All access to network resources and cardholder data must be tracked and monitored.
  Because proper PAM requires knowing not only who but also what and when a robust PAM solution will meet PCI DSS requirements by both monitoring and recording all session activity. Furthermore, the best PAM solutions will go the PCI DSS requirements one better by having the capability to automatically terminate sessions that attempt unauthorized access or actions that could put cardholder data and other privileged resources at risk.
• Requirement: Secure remote access must be facilitated.
  Again, a full-featured PAM solution will meet this requirement by virtue of its ability to control privileged access not only by the user, but also by circumstance – such as the ability to define not only what critical resources a user can access, but also the remote locations (or IP addresses) from which such privileged access is allowed.

Of course, the complete PCI DSS specification is lengthy, and deals with far more aspects of payment card security than PAM itself can properly address. Nonetheless, a strong PAM solution goes a long way towards addressing many of the key requirements of PCI DSS to not only aid in compliance but also help cybersecurity teams truly achieve what the regulation is for in the first place: Stronger cybersecurity that better protects sensitive payment cardholder data.