PCI – The Importance of Separating the User From the System Credentials

Friday 16 September 2016

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Launched on September 7, 2006 the goal of the PCI DSS is managing the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.


At Osirium we focus on Privileged Access Management, a well understood term in this sector and, thankfully, personalised privileged accounts are predominantly well managed.  The importance of tracking who did what and when is critical for audit trails and to achieve compliance. Unfortunately, such controls can lapse when generic, default, or built in systems are taken in to account.  A key issue here is the number of accounts that exist overall and keeping a formal record of when they are created, how they are used, and when they are (or should be) deleted.  One particular area where these accounts can be easily lost is at the helpdesk. Also known as first line support, these accounts are often created to deal with a particular issue or problem, or are assigned to contracting members of the team retained to support specific projects only.  Easily changed, these passwords are all too often amended several times over the life of the PCI system's operation so monitoring them becomes even more challenging.  Take in to account that such short term support projects are commonly associated with peaks in business demand, rather than ongoing needs, and you'll soon realise that a number of these are also outsourced to third parties or temporary staff members.  It is here that PCI policies are most at risk of being breached – be it unintentionally or not.

In order to retain important points of control and remove all risk of a data breach it becomes critical to separate the user from the system credentials. Even with the best intentions passwords may be shared on a temporary basis to 'help' a colleague access an element of the system under pressure with a deadline or to resolve a pending crisis that needs team involvement or specialist support.  Consider now that these credentials are shared with third parties that have no long term responsibility to the business and you quickly find the scale of the problem escalating.

Osirium tackles this issue head on by enabling the organisation to map requests made in the system for access via these generic accounts.  It then gives the business complete visibility of how the system is accessed as opposed to simply knowing that the account was used.  Importantly, further control elements can also be added, such as tickets, which would require the user accessing the network or the application to quote a valid incident or reference number, with the cycle completed with details of 'why' access was requested being recorded.  Also becomingly increasingly compelling in this space is the ability to offer session recordings.  Tickets can be reported against to monitor exactly what happened in the system during the time access was given which is a very efficient way to deter hackers but also ensure that increased attention is paid by the user, typically resulting in better quality output.

Looking again at the use of such generic accounts, most businesses will agree that these are created in order to complete specific tasks that whilst required regularly do not need to be completed by a specific individual - leading to passwords and access details being shared across a wider team for ease.  To tighten up security in this area, such repetitive tasks and sequences can also be automated in Osirium – removing the need for anyone to share a password as access rights are agreed and assigned, by shared tasks.

Remove the need to log in, and you've removed associated risks - no wandering, no sharing and no forgotten accounts left accessible - which in turn reduces the risk linked with external unauthorised access. Osirium provides auditing capabilities, complemented by reporting and tracking metrics that can help improve your PCI workforce and demonstrate systems are secure.  At a time that reputational risk is as much of a business concern as a financial risk is, why lock your front door when at the same time you are leaving a back window open? 

Osirium are exhibiting at IP EXPO Europe 2016 on Stand C14.

Andy Harris, Engineering Director at Osirium.

Social Media



IP EXPO | LinkedIn

The home of IP EXPO Event Series