How PCI DSS 4.0 Changes Identity Access Control for Humans and NHIs

Read full article here: https://www.andromedasecurity.com/blogs/how-pci-dss-4-0-impacts-human-and-nhi-identity-security/?source=nhimg

The release of PCI DSS 4.0 marks a transformative shift in how organizations must approach identity security—not just for human users, but also for non-human identities (NHIs) like service accounts, API keys, and automation agents. With cloud-first architectures, DevOps automation, and SaaS integrations on the rise, the number of NHIs has exploded, making them a critical part of the PCI compliance conversation.

PCI DSS 4.0 places heightened emphasis on least privilege, identity lifecycle management, and access governance for both humans and NHIs. It introduces new requirements for access reviews, inactive account removal, password complexity, and the justification of shared identities—all of which directly affect how identities are managed in modern environments.

For human identities, the updated standard mandates:

• Environment-based access controls tailored to production or non-production use (Req 6.5.3)

• Role-based access aligned with least privilege for cardholder data (Req 7.2.1)

• Biannual access reviews (Req 7.2.4)

• Immediate revocation of terminated user access (Req 8.2.5)

• Inactive user account deactivation within 90 days (Req 8.2.6)

• Strict conditions for shared credentials, JIT access, and password policies (Reqs 8.2.2, 8.2.7, 8.3.x)

For non-human identities, PCI DSS 4.0 introduces first-time, formalized requirements including:

• Mandatory access reviews for system/application accounts (Req 7.2.5.1)

• Enforced least privilege policies for all NHIs accessing sensitive environments (Req 7.2.5)

• Prohibition of interactive logins or shared credentials for NHIs without strict controls (Reqs 8.2.2, 8.6.1)

• Credential rotation based on risk and compromise scenarios (Req 8.6.3)

These updates underscore a central message: identity security is now core to PCI DSS compliance, not just a support function. NHIs must be treated as first-class citizens in the identity security model—discovered, monitored, reviewed, and governed with the same rigor as human users.

How Andromeda Security Helps

Andromeda Security enables organizations to align with PCI DSS 4.0 by offering:

• Unified visibility into all identities—human and non-human

• Continuous access reviews and entitlement right-sizing

• Just-in-Time access provisioning and intelligent revocation

• AI-driven behavior analysis and risk-based policy enforcement

• Automation of credential rotation and shared identity mitigation

With PCI DSS 4.0’s March 2025 deadline approaching, security and compliance teams must take a proactive, identity-first approach. Andromeda delivers the capabilities to streamline PCI audit readiness, reduce manual overhead, and most importantly—protect payment card data from compromise.