The Payment Card Industry Data Security Standard (PCI DSS) has for the reason of protecting cardholder data mandated taking preventive measures to secure privileged account access and passwords. Organizations holding customer credit card details must be compliant with the PCI DSS v3.2.1 (in effect since May 2018) around clauses of privileged access as highlighted below. Sectona with its flagship Privileged Access Management Product Spectra helps organizations achieve compliance around privileged and administrative account access with confidence.
Clause 2 of PCI DSS Compliance Frameworks speaks about changing the vendor supplied default credentials, using strong encryption methods for data privacy and a secure password management approach.
How Spectra PAM helps you adhere to this clause?
Spectra PAM has a robust password vault which uses a 3-step approach to password management (rotation, veriﬁcation, reconciliation) for all vendor-supplied default accounts. All the passwords are stored in the vault in an encrypted format.
Going one step further, as a value add, Spectra leverages its strong discovery module that helps with an automated discovery of all the privileged accounts (including vendor default accounts) across OS & databases and vaults the credentials within its secure vault.
Tip: Sectona Research Team has simplified this for organizations by identifying all the vendor-supplied accounts across a wide range of applications and systems. To read more, visit
Clause 7 of PCI DSS Compliance Framework speaks about implementing strong access control measures for restricting access to cardholder data on need to know basis. It states that access should be limited to only those personnel whose job requires access to cardholder data. Access to such critical databases should be provided only on prior approval and need-to-know basis.
How Spectra PAM helps you comply with this clause?
Spectra Server Access and User Access Policies can be configured while granting access to critical data for users. Policies can be defined on a ‘need-to-know, need-to-access’ basis & enforce restrictions on what can be accessed, by whom, when, for what & for how long to ensure only necessary privileges are granted to users. With Spectra’s Workflow module, access to users can be granted only post approval from authorized approver(s). Up to 15 levels of approvals and multiple approvers at each level can be configured for better flexibility.
Clause 8 of the compliance framework requires identification and authentication for each user taking access to system components. These users can be both internal and third-party vendor users. Use of multi factor authentication for granting access to users and session management like session lock out after specific time duration, setting complex password policies etc.
How Spectra PAM can help you achieve compliance with this clause?
Spectra PAM has deep integrations with Active Directory for automated user access policy fetching or policy driven attribute-based grouping for faster provisioning of access to internal & remote users. Privilege session management policies can be configured for third-party vendor access from within the network & remotely by deﬁning hybrid access mechanisms based on user role, mode of access & location of access. Spectra PAM has integrations for MFA, wherein second level of authentication and verification for all users can be configured.
Additionally, to isolate privileged sessions from third-party vendor access, Spectra PAM has unique Cross-Platform Hybrid Access capabilities that allows users to access via virtualized browser-based sessions or via jump server.
Tip: One of our customers had similar requirements for access control mechanism. Don’t forget to read how Spectra PAM was able to meet the needs of the customer, visit
Clause 10 of the compliance speaks about tracking and monitoring all access taken to network resources and cardholder data. It states that for each privileged session, logs should be generated, they should be stored in tamper proof format and should be available for audit. The logs should capture all the activities performed in the session by root or administrator user and users having access to cardholder data.
With Spectra’s Session Recording module, logs are generated for all the sessions that are accessed in both text/video format. These logs are stored in an encrypted format and are tamper proof. These logs are accessible only to the authorized personnel.
Apart from logs generation, Spectra has a built-in advanced risk scoring and threat analytics engine. Spectra has a library of high-risk events executed within a session and based on the user access & profiling; a composite risk score is generated. This aids in identifying & interpreting high risk privileged sessions.
Sectona Research Team has made a comprehensive document stating the above clauses and is available for reading on website here if you wish to read the PCI DSS V3.2.1 Compliance document, it can be downloaded here
To know more about a list of high priority privileged use cases, refer to this document here