Notifications
Clear all
Topic starter
10/06/2026 8:55 pm
TL;DR: PCI DSS compliance remains uneven, with Verizon reporting that only 43.4% of assessed organisations were fully compliant in 2020, while many teams still rely on manual access and evidence workflows that leave payment data exposed. The real issue is not software selection alone, but whether access governance and audit evidence can keep pace with cardholder-data obligations.
NHIMG editorial — based on content published by Zluri: Access Management Top 11 PCI Compliance Software in 2026
By the numbers:
- In 2020, only 43.4% of assessed organisations were fully PCI compliant, up from 27.9% in 2019.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should organisations use access reviews to support PCI DSS compliance?
A: Use access reviews to prove that only approved identities can reach cardholder data, and that revocation happens when access is no longer needed.
Q: Why do non-human identities make PCI compliance harder to manage?
A: Non-human identities often sit outside human review habits, yet they frequently have direct access to payment systems, secrets, or integrations.
Q: What breaks when compliance evidence is collected manually?
A: Manual evidence collection breaks when the organisation cannot keep pace with configuration changes, entitlement changes, and vendor updates.
Practitioner guidance
- Map every PCI control to an identity owner Assign clear ownership for access reviews, remediation, logging, and vendor change detection so each control has a named accountable team.
- Include service accounts in access certification Add non-human identities, shared admin accounts, and vendor-integrated accounts to the same certification cycle used for human users.
- Monitor configuration drift around the PCI boundary Track changes to firewall rules, file integrity, privileged groups, and vendor-managed integrations that can move systems in or out of scope.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- Product-by-product comparison of the 11 PCI compliance tools and where each one sits in the workflow.
- Feature-level walkthroughs of access review, evidence collection, and auditor dashboard capabilities.
- Vendor-specific examples showing how each platform handles remediation tracking and compliance reporting.
- Customer rating summaries and implementation context for teams choosing between shortlisted products.
👉 Read Zluri's comparison of 11 PCI compliance software options →
PCI compliance software and access reviews: are controls keeping up?
Explore further
10/06/2026 9:58 pm
PCI compliance software is really an identity governance problem in disguise: the article shows that evidence collection, access certification, and change monitoring are the operational controls that make PCI DSS enforceable. That is because payment-data compliance depends on proving who had access, when it changed, and whether review led to remediation. For practitioners, the software choice matters less than whether it can express identity lifecycle truth in audit-ready form.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should be accountable when PCI access controls fail?
A: Accountability should sit with the owners of the identity, the application, and the control process that exposed the gap. For cardholder-data environments, that usually means IAM, security operations, and system owners must share responsibility for review, revocation, and evidence quality, because PCI failures usually cross those boundaries.
👉 Read our full editorial: PCI compliance software exposes the access-control gap in 2026
