All posts
June 18, 20264 min read

PCI DSS Compliance for Non-Human Identities

When a PCI DSS auditor asks for proof that every service‑account request was authorized, you should be able to hand over a complete, log that can be reviewed and replayed: who (or which automated identity) initiated the connection, the exact time, the command or query executed, and a guarantee that any cardholder data in the response was masked according to the standard. The evidence must also show that privileged actions were approved by a human before they ran, and that no secret credential wa

Free White Paper

PCI DSS + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When a PCI DSS auditor asks for proof that every service‑account request was authorized, you should be able to hand over a complete, log that can be reviewed and replayed: who (or which automated identity) initiated the connection, the exact time, the command or query executed, and a guarantee that any cardholder data in the response was masked according to the standard. The evidence must also show that privileged actions were approved by a human before they ran, and that no secret credential was ever exposed in clear text. In that ideal state the audit trail is a single source of truth, immutable, and can be replayed to demonstrate compliance without pulling logs from multiple disparate systems.

Why non‑human identities are a compliance blind spot

PCI DSS treats service accounts, CI/CD bots, and other non‑human identities the same as human users under Requirement 8.5 and Requirement 10.5. Those rules demand unique credentials, least‑privilege access, and comprehensive logging of every action. In practice, many organizations grant long‑lived keys to automation tools and let them connect directly to databases or SSH hosts. The connections bypass central logging, credentials are stored in scripts, and any privileged command runs without a human check. Auditors therefore see gaps: no evidence of who invoked a query, no approval record, and no guarantee that sensitive card data was protected during the session.

What auditors expect from the evidence

  • Identity provenance – a token or certificate that ties the request to a specific service account.
  • Just‑in‑time approval – a documented step where a qualified person authorizes a high‑risk operation before it executes.
  • Command‑level audit – a timestamped log of every statement or command issued, including the response status.
  • Inline data masking – proof that card numbers, CVV, or other PAN data never left the target in clear text.
  • Immutable session recording – a replayable capture that can be presented as evidence of what actually happened.

Collecting these artifacts from scattered tools is error‑prone and often incomplete. The missing piece is a single enforcement point that can observe, control, and record every non‑human request before it reaches the target system.

How hoop.dev provides the required enforcement layer

hoop.dev is a Layer 7 gateway that sits in the data path between any non‑human identity and the infrastructure it accesses – whether that is a PostgreSQL database, an SSH host, or a Kubernetes API. Because the gateway proxies the protocol itself, it can apply the controls that PCI DSS expects without requiring changes to the target service.

  • Session recording – hoop.dev captures the full request and response stream for every connection, storing it in a log that auditors can review and replay.
  • Inline masking – before a response leaves the target, hoop.dev can redact PAN fields according to a configurable pattern, ensuring that clear‑text card data never appears in downstream logs.
  • Just‑in‑time approvals – for commands that match a high‑risk policy, hoop.dev pauses execution and routes the request to an approver. The approval decision is recorded alongside the session.
  • Command blocking – dangerous statements (for example, DROP TABLE or privileged sudo commands) can be denied automatically, with the denial logged.
  • Identity‑driven access – non‑human identities are provisioned via OIDC or SAML tokens. hoop.dev validates the token, extracts group membership, and decides whether the request may start. The actual enforcement – logging, masking, and approval – happens inside the gateway.

Because hoop.dev is the only component that sits on the data path, the audit evidence it produces is authoritative. Removing hoop.dev would eliminate the session recordings, the masking guarantees, and the approval workflow, leaving the underlying service without any of the PCI‑required artifacts.

Continue reading? Get the full guide.

PCI DSS + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Integrating non‑human identities with hoop.dev

The setup phase begins with provisioning a service account in your identity provider (Okta, Azure AD, Google Workspace, etc.) and assigning it to a group that reflects its least‑privilege role. hoop.dev acts as a relying party, verifying the token and using the group information to decide if the connection is allowed to start. Once the request passes that check, the gateway enforces the PCI‑specific controls listed above. This separation keeps the identity decision (setup) distinct from the enforcement (gateway), which is the architectural pattern auditors look for when they ask, “How do you ensure that service‑account activity is both authorized and fully logged?”

What you hand to the auditor

When the audit window opens, you can export the following from hoop.dev:

  • A chronological log of every non‑human session, including user ID, timestamp, target, and command.
  • Masked response excerpts that demonstrate compliance with Requirement 3.2 (protect stored cardholder data).
  • Approval records that show who authorized each privileged action, satisfying Requirement 8.6.
  • A replay file for any session the auditor wishes to examine in detail.

All of these artifacts are generated automatically by hoop.dev, so you do not need to build a custom logging pipeline or manually redact data. The evidence is stored centrally, can be retained for the required seven‑year period, and is accessible via the getting‑started guide and the learn section for deeper details.

Getting started

To begin protecting your non‑human identities, follow the quick‑start in the documentation. Deploy the gateway with Docker Compose or Kubernetes, register your target resources, and configure OIDC authentication. The open‑source repository on GitHub contains the full reference implementation.

FAQ

Does hoop.dev replace my existing IAM system?

No. hoop.dev consumes the identity tokens issued by your IAM provider. It does not manage user or service‑account creation; it only enforces access once the identity has been verified.

How does inline masking protect PAN data?

When a response containing card numbers reaches the gateway, hoop.dev applies a pattern‑based redaction before the data is forwarded or logged. The original clear‑text value never leaves the target system, satisfying PCI DSS Requirement 3.2.

Is hoop.dev open source?

Yes. The project is MIT licensed and the source code is available at github.com/hoophq/hoop. You can self‑host the gateway and customize the policies to match your PCI DSS scope.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot