How to Implement Secure, PCI-Compliant Access Controls

Business trends such as outsourcing, teleworking, cloud computing, and the need to comply with the Payment Card Industry Data Security Standard and other corporate, government and industry regulations have redefined the traditional "moat and castle" notion of the network perimeter. The problem businesses face today is not how to keep people out, but how to safely let them in. Here, Knowledge Center contributor Dave Olander explains how to implement secure, PCI-compliant access controls without introducing additional risk or jeopardizing IT's security or compliance posture.


Many legacy systems are simply not aligned with current business needs. Many offer limited value in today's dynamic business and regulatory environment. Next-generation access solutions evolved from the need to manage a smaller group of high-performing or trusted users such as database administrators, users accessing credit card data, external auditors working remotely, and outsourced or other business partners.

Focused on the "control" piece of access control, next-generation systems are lightweight, agile and plug into existing network infrastructure. As a result, they are becoming widely recognized as an efficient, cost-effective way to integrate strong network controls that deliver the security and compliance benefits required for today's business landscape.

For instance, Section 7 of the Payment Card Industry Data Security Standard (PCI DSS) requires that access to cardholder data is restricted access by business "need-to-know." This means that access rights are granted to only the least amount of data and privileges needed to perform a job. Section 7.1 of the PCI DSS limits access to system components and cardholder data to only those individuals whose job requires such access.

Section 7.2 of the PCI DSS requires merchants to "establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to 'deny all' unless specifically allowed." Section 8 of the PCI DSS requires a unique ID for each person with computer access to ensure that actions taken on critical data and systems are performed by and can be traced to known and authorized users.

In order to meet both the letter and the spirit of the PCI DSS, next-generation access control systems should have the following six attributes:

Attribute No. 1: Right-size permissions based on a zero trust model

At the start of any technology deployment, common sense dictates an audit of current access polices to see if they are aligned with the needs of the business. In response to a host of factors, many organizations are rethinking their access policies and finding that they are way more open than the needs of the business dictate. As a result, they are recalibrating to both the letter and spirit of PCI DSS requirement 7.2: deny all unless specially allowed. They're also taking it further to make sure that those who are allowed are closely monitored. This "zero trust" access model allows organizations to adhere to PCI mandates, even when dealing with users (such as vendors, outsourced personnel and other third parties) who access systems from unmanaged endpoints.