It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! So far we’ve discussed PCI Requirement 4.1 and mobility, Sampling, and Patching & IPS. If you have a requirement you want reviewed, post it here! Today, it’s fun with a very specific interpretation, but I think we can cover this in a way that will be functional in most (if not all) modern setups. Now, on to our submitter:

Requirement 3.6.6 – Specifically related to service accounts for applications where a human would have the service account password and the service account can then access the keys.

Life Preserver, by respres

There is are two security controls that we discuss in our critical control checklist that are missing from PCI DSS that would help with your interpretation issue. Specifically, true service accounts should not allow interactive logins to happen—meaning, using the credentials should not get you to a shell or equivalent where you could start performing functions. Most modern operating systems have ways to prevent this from happening. In your case, having access to the service account credentials wouldn’t necessarily lead to a discovery of the whole key, thus keeping the split knowledge requirement intact.

The second is around the use of passwords for service accounts in general. We should be moving away from using the password as our default authenticator for service accounts—especially those that may be able to access or alter sensitive information. Whatever the status of your hatred for PKI, it does handle this issue. If you don’t have a full PKI available to you, something basic like SSH keys can accomplish this as well.

If I were in this situation as a QSA, I would ask what controls are in place to prevent a service account with access to those keys from being used interactively, and more specifically what “access” looks like. If a developer with knowledge of the credentials (albeit, a problem in itself) can obtain full access to the key, it’s a problem. If I were being assessed, I would focus on using the access controls provided by the operating system to truly do as much separation as possible, and to monitor the system in a number of different ways to detect someone accessing they key when they shouldn’t be. Should that happen, massive alarm bells would go off and a swift incident response process should happen.

Thanks for the question! If you have your own requirement you want analyzed, go to this post and add a comment!

This post originally appeared on