Third-party identities expand the compliance boundary because the organisation still owns the risk even when access is granted to vendors or connected services. If those accounts are not inventoried, scoped, and offboarded with the same discipline as internal identities, cardholder-data exposure and audit failure become much more likely.
Why Third-Party Identities Expand PCI Scope
Third-party identities are risky because they stretch PCI DSS v4.0 beyond the accounts an organisation directly controls. Vendors, integrators, managed service providers, and connected services often need access to cardholder-data environments, but that access is still part of the organisation’s control surface under PCI DSS v4.0. The problem is not vendor status itself. It is the combination of weak inventory, unclear ownership, and accounts that linger after a contract ends.
NHIMG research shows why this becomes a governance issue, not just an access issue. In the Ultimate Guide to NHIs, 92% of organisations expose NHIs to third parties, which means external access is already a mainstream supply chain concern. When those identities are not mapped to a business purpose, PCI teams lose the ability to prove least privilege, review necessity, and revoke access cleanly. In practice, many security teams encounter third-party identity exposure only after a vendor account is still active long after the work has ended.
That is where audit evidence starts to fail. PCI assessors expect proof that access is authorised, justified, and monitored, but unmanaged third-party identities often live outside normal joiner-mover-leaver workflows and outside PAM review cycles.
How to Control Vendor Access Without Losing Oversight
Good PCI practice starts with inventory, then moves to containment. Every third-party identity should be tied to a named supplier, a documented purpose, a defined system boundary, and an expiration date. If the account is used by an automation or service integration, treat it as a workload identity, not a person account, and require the same level of ownership and traceability. For baseline context, the Ultimate Guide to NHIs and the Top 10 NHI Issues both stress that visibility and offboarding are where most programs break down.
Operationally, PCI teams should require:
- Named ownership for every third-party account and secret
- Time-bound access with periodic re-approval
- Separate credentials for each vendor and each environment
- Strong authentication and logging on all external sessions
- Immediate offboarding when contracts, tasks, or support windows end
Use the OWASP Non-Human Identity Top 10 to frame common failure modes such as secret leakage, over-privilege, and untracked lifecycle events. Pair that with NIST Cybersecurity Framework 2.0 to anchor governance, monitoring, and recovery expectations. These controls tend to break down in heavily outsourced environments where vendors provision sub-vendors, shared admin accounts, or long-lived API keys without a clear revocation path.
Where PCI Risk Spikes in Real-World Vendor Models
Tighter third-party control often increases operational overhead, requiring organisations to balance auditability against vendor speed and support friction. That tradeoff is real, especially when a supplier insists on shared credentials, emergency access, or broad privileges to meet service-level commitments. Current guidance suggests that convenience should never override traceability, but there is no universal standard for every vendor model yet.
The highest-risk cases are usually not the obvious ones. They include background integrations that touch payment-adjacent systems, dormant support accounts, shared credentials across multiple technicians, and vendors that retain access to test or staging environments that later connect to production data paths. The 52 NHI Breaches Analysis and the Shai Hulud npm malware campaign show how quickly exposed secrets and third-party tooling can turn into broader compromise. For PCI programs, the lesson is straightforward: if a vendor identity can reach cardholder-data-related systems, its lifecycle must be shorter, more visible, and more tightly reviewed than an internal user account. The model breaks down fastest when third parties can self-provision access or when offboarding depends on manual email coordination.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Third-party secrets and lifecycles need strict rotation and revocation. |
| NIST CSF 2.0 | PR.AC-4 | Vendor access must be least-privilege and continuously reviewed. |
| PCI DSS v4.0 | 7.2.5 | PCI requires access to be approved, limited, and removed when no longer needed. |
Document vendor ownership, approval, and offboarding evidence for every external identity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
