Achieving PCI compliance: Leveraging HashiCorp Vault to protect payment data

PCI DSS (Payment Card Industry Data Security Standard) is a global standard that establishes technical and operational criteria for protecting payment data. The PCI Security Standards Council announced PCI DSS v4.0 on March 31, 2022. Now organizations have until March 31, 2025 to comply with the new standard.

HashiCorp Vault can play a significant role in helping your organization attain PCI DSS certification by providing secure and compliant management of sensitive data, including cardholder data. This post will give a brief overview of the areas where Vault can help your organization comply with the new standards in time.

»What is HashiCorp Vault?

Vault is an identity-based secrets and encryption management system that provides encryption services gated by authentication and authorization methods to help ensure secure, auditable, and restricted access to secrets. Some of the world’s largest organizations use Vault to secure, store, and protect secrets and other sensitive data using a UI, CLI, or HTTP API.

A secret is anything that you want to tightly control access to, such as tokens, API keys, passwords, encryption keys, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. Vault validates and authorizes clients (users, machines, applications) before providing them access to secrets or stored sensitive data.

»Vault secrets management can help meet PCI requirements

HashiCorp Vault can help organizations meet several PCI requirements, including:

1. Secrets management: HashiCorp Vault can securely store and manage sensitive data, such as API keys, passwords, and encryption keys. This ensures that cardholder data (CHD) and other sensitive information are protected from unauthorized access or exposure.
2. Data encryption: Vault provides strong encryption capabilities, including encryption-as-a-service. You can use Vault to manage the encryption keys required for protecting data at rest and in-transit, which can help meet PCI requirements for compliance when storing CHD or secrets related to the cardholder data environment (CDE).
3. Dynamic secrets: Vault can generate dynamic secrets on-demand and automatically refresh and rotate them frequently, reducing the risk of long-lived secrets being compromised. This aligns with PCI DSS requirements for secure key management and data access.
4. Data masking: Vault can be used to mask sensitive data, such as credit card numbers, by doing irreversible transformations with the format preserved, replacing all characters with user-specified ones, and other forms of pseudonymization. This may help reduce the scope of PCI requirements by limiting the exposure of cardholder data.
5. Format-preserving encryption: Vault can transform secret data via FF3-1 to encode input values while maintaining its data format and length.
6. Tokenization: Vault can substitute sensitive data elements such as cardholder data with a non-sensitive and mathematically irreversible equivalent, replacing the data rather than encrypting it.
7. Automated secret rotation: Vault can automate the rotation of encryption keys, database credentials, and other secrets, ensuring that they are changed in accordance with organizational policy and in alignment with security best practices.
8. Access control: Vault offers fine-grained access controls, allowing you to define and enforce access policies based on roles and permissions. This helps ensure that only authorized personnel can access sensitive data, which directly supports PCI DSS requirements.
9. Audit logging: Vault maintains comprehensive audit logs of all access and operations, providing accountability for access to secrets stored within Vault and supporting the compliance with PCI requirements. Vault logs provide the visibility needed to track who accessed what data and when, helping meet PCI’s audit trail requirements.
10. Integration with other tools: Vault can integrate with a large ecosystem of mainstream IT tooling, as well as various cloud platforms and hardware security modules (HSMs), mitigating any integration gaps that might obstruct end-to-end compliance. Vault also has a plugin-based architecture that allows organizations to build custom integrations.
11. Third-party integrations: Vault offers integrations with multiple leading identity and access management (IAM) systems, including various identity providers and authentication mechanisms These integrations enable unified access controls and centralized roles, which can support PCI compliance.
12. Compliance as code: HashiCorp Terraform can be used in conjunction with Vault to define infrastructure as code (IaC) and ensure that compliance requirements are met from the moment infrastructure gets provisioned. This includes setting up Vault policies and configurations as code.

»Meeting specific PCI requirements

HashiCorp Vault features can be mapped to 3 of the 12 key PCI requirements listed in the PCI DSS v4.0 Quick Reference Guide; specifically requirements 2, 3, and 4 on pages 24-27 in the reference guide:

»PCI requirement #2: Apply secure configurations to all system components

The requirement: Processes and mechanisms for applying secure configurations to all system components must be defined and understood, and system components must be configured and managed securely.

How Vault addresses it: Vault secrets management securely stores and manages access to secrets and systems based on trusted sources of application and user identity. With dynamic secrets, Vault can generate time-based access credentials.

»PCI requirement #3: Protect stored account data

The requirement: Protect stored IT system account data and secure the cryptographic keys to protect stored account data. Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle must be defined and implemented. In addition, access to displays of full primary account numbers (PAN) and the ability to copy cardholder data must be restricted. PANs must be secured wherever they are stored.

How Vault addresses it: Vault secures credentials and secrets used by people and applications. It updates and rotates credentials and secrets automatically based on policy. Vault's Advanced Data Protection features include the Transform secrets engine, which supports handling cardholder data with non-decipherable, format-preserving, or stateful encryption capabilities, such as data masking, format-preserving encryption, and tokenization.

»PCI requirement #4: Protect cardholder data with strong cryptography during transmission over open, public networks

The requirement: Define and document processes and mechanisms to protect cardholder data with strong cryptography during transmission over open, public networks.

How Vault addresses it: Vault provides encryption-as-a-service in-transit and at-rest to secure customer data. Its KMIP secrets engine lets Vault act as a Key Management Interoperability Protocol (KMIP) server for clients to receive cryptographic keys and encrypt data using KMIP. Vault also supports SSH keys and certificate management to help protect CHD in transit.

»Using Vault for PCI DSS compliance

Leveraging HashiCorp Vault effectively for PCI DSS compliance requires several steps:

1. Identify and document how Vault will be used to meet specific PCI requirements.
2. Develop and implement policies and procedures for using Vault in a PCI-compliant manner.
3. Ensure Vault is located in the proper network location and access from Vault to CDE systems is limited to what is necessary.
4. Regularly monitor and audit Vault to ensure ongoing compliance.
5. Keep track of changes in PCI DSS requirements and adjust your Vault configurations and policies accordingly.

Lastly, achieving PCI compliance requires a comprehensive approach covering people, processes, and technology. HashiCorp Vault can be a valuable tool within that approach, but it must be integrated into a broader compliance strategy that includes training, regular audits, and ongoing monitoring of your systems and processes.

To get started with HashiCorp Vault, visit the Vault product page. To learn more about what’s new in Vault Enterprise, go to the Vault Enterprise release page.

HashiCorp is no stranger to working with large customers that have strict PCI requirements. Check out the case study Managing PCI compliant architectures at scale with Terraform & Vault for further insights and see Vault tokenization for PCI DSS in action. Feel free to contact us if you’d like to discuss your PCI compliance journey.