Look for evidence that access is both limited and reviewed: fewer broad entitlements, clear ownership for every privileged account, monitoring that flags unusual access, and remediation records for accounts that no longer need payment-system reach. If the same identities repeatedly retain access without challenge, the control is procedural rather than effective.
Why This Matters for Security Teams
PCI access controls are only useful if they are observable in practice, not just documented in policy. For payment environments, the real question is whether privileged access is narrow, approved, reviewed, and removed when no longer needed. NHIs often break that model because service accounts, API keys, and automation tokens persist far longer than human access. NHI Management Group research shows only 5.7% of organisations have full visibility into their service accounts, which makes “working controls” hard to prove.
That gap matters because PCI reviews often focus on entitlement lists and attestations while missing whether the same identities keep access after the business need ends. Current guidance from the PCI Security Standards Council expects access to be restricted and periodically validated, but evidence must show that review leads to removal, not paperwork. Security teams should treat access control as a lifecycle test: provision, use, monitor, review, revoke. In practice, many teams discover the control failed only after a stale account, unused token, or over-broad role is still reaching cardholder systems months later.
How It Works in Practice
To know whether PCI access controls are actually working, teams need evidence across three layers: entitlement design, runtime behaviour, and remediation. At design time, access should be mapped to named business functions rather than generic admin or shared roles. At runtime, monitoring should show who or what used the access, from where, and for what action. After review, the record should show that unnecessary access was removed, not merely acknowledged.
For non-human identities, this is where traditional review workflows often fail. A service account may appear “approved” because it was created for a payment workflow, yet its token never expires, its scope is broader than required, and nobody revisits it after deployment. The Ultimate Guide to NHIs highlights how weak visibility and over-privilege are common failure modes, which is why PCI access control testing should include secrets inventory, ownership, rotation status, and deprovisioning records.
- Confirm every privileged account has a named owner and a documented business purpose.
- Check that access reviews result in removals, scope reductions, or JIT changes where appropriate.
- Validate logs for unusual access patterns, such as access outside change windows or from new execution contexts.
- Verify that revoked users, tokens, and service accounts no longer reach cardholder data systems.
For agentic or automated workflows, pair review evidence with runtime controls such as just-in-time access, short-lived credentials, and policy checks at request time. The OWASP Non-Human Identity Top 10 is useful here because it frames excessive privilege, secret sprawl, and weak lifecycle control as operational risks, not documentation issues. These controls tend to break down in environments with shared service accounts, long-lived API keys, or outsourced operations because ownership and usage evidence become too diffuse to prove.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, requiring organisations to balance faster delivery against stronger assurance. That tradeoff is real in PCI environments with frequent releases, managed service providers, or batch jobs that need stable connectivity. In those cases, current guidance suggests focusing on evidence quality: clear ownership, short-lived access where feasible, and review trails that show every exception was intentionally accepted and then retired.
There is no universal standard for this yet in highly automated environments, but best practice is evolving toward context-aware approval and continuous validation rather than annual attestation alone. A privileged pipeline account that runs only during deployment is a different risk from a persistent database admin, so the control test should match the identity type. NHI-specific monitoring is especially important because over-privileged machine access can look “normal” until a breach forces a retrospective review.
Security teams should be cautious with inherited access, vendor-maintained service accounts, and emergency break-glass credentials. Those cases are often compliant on paper but weak in practice if they lack expiry, alerting, and post-use review. The strongest sign that PCI access controls are working is not the absence of exceptions, but the presence of timely revocation, complete ownership, and a repeatable process that closes access gaps before audit time.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers weak rotation and stale machine access, central to proving PCI controls work. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and access accountability support evidence that PCI access is restricted. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access control is the core test for PCI entitlement effectiveness. |
Review entitlements, remove excess privilege, and verify changes are reflected in logs and systems.
Related resources from NHI Mgmt Group
- How do security teams know whether registry access controls are actually working?
- How do security teams know whether PII access governance is working?
- How do security teams know whether AI authorization for ePHI is actually working?
- How do security teams know whether continuous authorisation is actually working?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
