How Okta Helps You Comply with PCI-DSS 3.2

As organisations continue to move critical services into the cloud, having strong, centralised identity becomes the foundation of a holistic security strategy. Continuing our efforts to support customers who use Okta to protect Cardholder Data Environments, we are pleased to announce that Okta has released a PCI-DSS Attestation of Compliance (AOC). This self-assessment enables Okta customers to deliver access control to systems that store and process credit card data, compliant with the Payment Card Industry Data Security Standards (PCI-DSS).

PCI DSS—currently on version 3.2—is an information security standard, required by the credit card industry for organisations that store, process, or transmit credit card data. Among other controls, this standard requires strong multi-factor authentication to access servers and software handling credit card data, use of strong encryption, and ensuring that only authorised employees have access to credit card data.

Okta’s Universal Directory, Lifecycle Management, and Adaptive MFA solutions allow customers to easily implement these controls within the cloud and on-premises components of their Cardholder Data Environments, simplifying compliance to the PCI standard and reducing compliance costs. With the release of Okta's PCI-DSS AOC, customers are no longer required to demonstrate to auditors how Okta is out of scope to their PCI environment. They can directly leverage the strong protections for identity that Okta offers within their own compliance programs—including risk-based authentication and passwordless technologies.

Okta is committed to the highest level of security standards and supports the security requirements of the most regulated and security-conscious industries. Our other security certifications include:

• A Moderate FedRAMP certification with Authority to Operate (ATO), which enables federal agencies to adopt to use Okta to simplify their identity management and allows Okta customers to inherit the security controls from Okta’s ATO.

• The ISO 27001 certification for Okta’s information security management system. ISO 27001 is a global information security standard, which sets requirements for the protection and management of information, intellectual property, employee details, and customer data.

• The AICPA SOC2 Type II process, formerly known as SAS 70 Type II, which successfully certifies the operational and security processes of its service and the company. The detailed results of this stringent certification process are available upon request under a nondisclosure agreement.

• Becoming one of the first identity-as-a-service (IDaaS) companies to achieve the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 2 Attestation. The CSA STAR program is the first cloud-specific security framework, and attestation provides customers the assurance of a rigorous third-party independent assessment. STAR Attestation is based on type 2 SOC attestations, plus additional Cloud Controls Matrix criteria.

We believe that the PCI-DSS AOC, along with Okta's commitment to security standards and innovative solutions, enables our customers to protect identities more effectively.

Learn more about how using Okta Adaptive MFA can help your organisation with PCI-DSS.