Your PCI DSS Compliance Journey with Okta

Last updated: August 2022

Introduction

Payment Card Industry Data Security Standards (PCI DSS) are designed to reduce risk of debit and credit card data loss. The standard’s controls suggest how data loss can be prevented, detected and how to react if a potential data loss does occur. Among other controls, this standard requires strong multi-factor authentication to access servers and software handling credit card data, use of strong encryption, and ensuring that only authorized employees have access to credit card data. While Okta does not transmit, process, and/or store cardholder data in providing its services, it is considered a supporting system for PCI-DSS compliance.

In 2018, Okta announced our commitment to support customers who use Okta to protect cardholder data environments by releasing Okta’s PCI DSS SAQ-D AOC for Okta’s IDaaS service. Currently, Okta’s PCI DSS SAQ-D is assessed by a QSA and is available to download. To access the PCI DSS SAQ-D AOC for Okta’s IDaaS service, Okta administrators of current customers must login to the Okta Help Center. Prospective customers interested in accessing the AOC should reach out to their Okta representative.

In this document, we’ll share more information on these assessments and also discuss how you can use the Okta Identity Cloud to comply with PCI DSS v3.2.1.

PCI DSS: Background and Goals

To protect cardholder data around the globe, the PCI Council works with “merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.” Their work helps both these institutions understand and implement standards for security policies -- including processes to protect payment systems from breaches -- as well as vendors implement standards for creating secure payment solutions. PCI DSS outlines 12 requirements for payment card security. These requirements can be complex and difficult to maintain, especially for larger organizations. We’ve grouped these requirements into six easy-to-understand goals:

GOAL 1: Safeguard cardholder data by implementing and maintaining a firewall

  1. Install and maintain a firewall configuration to protect cardholder data as firewalls restrict incoming and outgoing network traffic through rules and criteria configured by your organization.

  2. Focus on hardening your organization’s systems and assets, e.g not using vendor-supplied defaults for