PCI-DSS
PCI-DSS (Payment Card Industry Data Security Standard) v4.0 mandates specific identity and access controls for organizations that handle payment card data — including MFA for all administrative access, individual user IDs, least privilege, and quarterly access reviews.
⚙️ How Does It Work?
PCI-DSS 4.0 requirements for identity: Requirement 7 (restrict access to system components and cardholder data), Requirement 8 (identify users and authenticate access to system components, including mandatory MFA for all non-console access to CDE).
📍 Where Is It Used?
Any organization that stores, processes, or transmits payment card data — merchants, payment processors, banks, and their service providers globally.
💡 Real-World Example
A retailer's PCI-DSS 4.0 assessment requires MFA for ALL access to the cardholder data environment — including internal admin access, not just remote. The company implements Okta with hardware tokens for PCI system access, achieving compliance by the March 2025 deadline.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →