All posts
June 18, 20264 min read

PCI DSS for non-human identities: governing machine access end to end (on Azure)

A PCI DSS‑compliant environment is one where every automated request that a service account makes on Azure is traceable, approved, and its sensitive data protected before it reaches the target system. In that world auditors can see who initiated each transaction, whether a human approved it, and can verify that cardholder data never left the controlled flow. PCI DSS expects organizations to treat machine identities with the same rigor as human users. Each service principal must be uniquely iden

Free White Paper

PCI DSS + End-to-End Encryption: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A PCI DSS‑compliant environment is one where every automated request that a service account makes on Azure is traceable, approved, and its sensitive data protected before it reaches the target system. In that world auditors can see who initiated each transaction, whether a human approved it, and can verify that cardholder data never left the controlled flow.

PCI DSS expects organizations to treat machine identities with the same rigor as human users. Each service principal must be uniquely identifiable, granted only the privileges it needs, and every action it performs must be recorded in an immutable log. The standard also demands that any response containing cardholder data be masked or redacted when viewed by non‑authorized parties. Finally, the control environment must enforce just‑in‑time (JIT) approvals for high‑risk operations, ensuring that no privileged command runs without explicit consent.

Current practice: unchecked service principals

Most teams start with a handful of Azure AD service principals that hold long‑lived client secrets or certificates. Those credentials are baked into CI pipelines, stored in shared vaults, and often copied across multiple environments. Because the gateway sits directly behind the Azure resource, the service principal talks straight to the database, storage account, or Kubernetes cluster without any intervening check. The result is a “wild west” of machine access: anyone who can retrieve the secret can issue any command, and the platform rarely captures who actually ran it. Auditors typically see a blanket "service‑account" entry in the logs, with no per‑request detail, no approval trail, and no masking of sensitive fields.

What the compliance gap looks like

The missing piece is a control plane that can see each request, enforce least‑privilege policies, and produce the evidence PCI DSS requires. Even if you provision unique identities for each microservice and assign tight RBAC roles, the request still reaches the Azure resource directly. Without a data‑path enforcement point, you cannot guarantee that a privileged command is blocked, that a response is masked, or that a human approved a risky operation. In other words, the setup alone does not give you the audit logs, approval records, or data‑masking guarantees needed for PCI DSS evidence.

hoop.dev as the data‑path gateway

hoop.dev sits between the machine identity and the Azure target, acting as an identity‑aware proxy that inspects every wire‑level request. Because hoop.dev is the only component that can see the traffic, it can enforce the controls required for PCI DSS.

  • hoop.dev records each session, capturing the exact command, the originating service principal, and the timestamp.
  • hoop.dev masks cardholder fields in responses, ensuring that downstream tools never expose raw PAN data.
  • hoop.dev blocks disallowed commands before they reach the target, preventing accidental or malicious privilege escalation.
  • hoop.dev routes high‑risk operations to a human approver, providing a JIT approval workflow that is logged for audit.
  • hoop.dev stores the credential used to talk to the Azure resource, so the service principal never sees the secret.

All of these outcomes exist only because hoop.dev occupies the data path. The initial identity verification (Azure AD OIDC token) decides who the request is, but the enforcement, masking, approval, recording, happens inside hoop.dev.

Generating PCI DSS evidence

PCI DSS requires:

  1. Detailed logs of who accessed cardholder data and when.
  2. Proof that only authorized personnel approved high‑risk actions.
  3. Evidence that sensitive fields are masked when displayed to non‑authorized viewers.

hoop.dev produces each of these artifacts automatically:

  • The session log includes the service principal’s unique ID, the exact query or command, and the outcome. Auditors can filter on queries that touch payment tables.
  • The approval workflow writes a signed record that a designated human reviewer granted permission, complete with timestamp and reviewer identity.
  • Inline masking replaces PAN digits with asterisks in real time, and the masked response is what downstream logging systems capture.

Because the gateway is external to the target service, the evidence cannot be tampered with by the service itself, satisfying the “non‑repudiation” aspect of the standard.

Continue reading? Get the full guide.

PCI DSS + End-to-End Encryption: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

High‑level architecture on Azure

1. A service principal authenticates to Azure AD and obtains an OIDC token.

2. hoop.dev validates the token, extracts group membership, and maps it to a policy that defines which Azure resources the principal may reach.

3. The request is forwarded to the Azure resource (e.g., Azure SQL, Azure Kubernetes Service) through the hoop.dev agent that runs inside the same virtual network.

4. While the traffic passes through hoop.dev, the gateway applies masking, approval, and recording before the target processes the request.

5. All logs, approval records, and masked responses are streamed to a central log store that your SIEM or compliance dashboard can ingest.

This pattern works for any Azure‑hosted data store that hoop.dev supports, and it requires no changes to the existing client libraries or scripts that your services already use.

Getting started

To try this approach, follow the getting‑started guide to deploy the gateway in your Azure virtual network. The learn section provides deeper coverage of policy definition, JIT approval configuration, and masking rules.

FAQ

Do I need to change my application code?

No. Applications continue to use their native clients (e.g., psql, kubectl, sqlcmd). The only change is the endpoint they point to – the hoop.dev proxy address.

Can hoop.dev handle high request volumes?

Yes. The gateway is designed to scale horizontally and can be deployed behind a load balancer to meet production throughput requirements.

Is the audit data tamper‑proof?

Because the audit trail is generated outside the target service, it cannot be altered by a compromised database or container. You can forward the logs to an immutable storage service for additional protection.

Explore the source code, contribute improvements, and see the full feature set on the project’s GitHub repository: https://github.com/hoophq/hoop.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot