Identity and Access Management (IAM) in Payment Card Industry (PCI) Data Security Standard (DSS) environments.


This is the first of a series of consultant-written blogs around PCI DSS.

Many organizations have multiple IAM schemes that they forget about when it comes to a robust compliance framework such as PCI DSS.

There are, at minimum, two schemes that need to be reviewed, but consider if you have more from this potential, and probably incomplete, list:

  • Cloud service master account management AWS (Amazon Web Services), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Architecture (OCA),
  • Name Service Registrars (E.g., GoDaddy, Network Solutions)
  • DNS service (E.g., Akamai, CloudFront)
  • Certificate providers (E.g., Entrust, DigiCert)
  • IaaS (Infrastructure as a Service) and SaaS (Software as a Service)) accounts (E.g.: Digital Realty, Equinix, Splunk, USM Anywhere (USMA), Rapid7)

Read more…