PCI DSS for non-human identities: governing machine access end to end (on CI/CD pipelines)

When a compromised service account writes credit‑card data to an insecure bucket, the breach can cost millions in fines, remediation, and brand damage. PCI DSS demands that every system handling cardholder data be auditable, that privileged actions be justified, and that sensitive fields be protected at rest and in transit. Yet most CI/CD pipelines treat machine identities as static secrets: long‑lived API keys, hard‑coded passwords, or service‑account tokens checked into repositories. Teams often share those secrets across multiple jobs, reuse them for weeks or months, and skip inspection after the fact. The result is a blind spot that makes it impossible to prove who accessed what, and whether the access complied with PCI DSS requirements.

Because the pipeline itself initiates the connection, the control plane sees only a successful handshake. No intermediate gate enforces real‑time policy, requests approval, or redacts card numbers from logs. The audit trail therefore consists of a handful of build logs that may or may not contain the relevant command output. PCI DSS auditors expect continuous, tamper‑evident evidence that every privileged operation on a payment system is recorded, approved, and, where appropriate, masked. Without a dedicated enforcement layer, organizations rely on manual log collection and ad‑hoc reviews, which are error‑prone and costly.

Why machine identities break PCI DSS expectations

Engineers create non‑human identities, service accounts, CI tokens, and automation bots, during the pipeline setup phase. The setup typically involves granting these identities broad permissions to reach databases, storage buckets, or container registries. The identity provider validates the request and issues a token, but the token itself does not enforce any PCI‑specific guardrails. Once the token lands in the CI runner, the runner talks directly to the target system. No additional checks occur on the request, no masking of PANs happens on the response, and no session is recorded for later review. In practice this means:

• Teams store credentials in plain text in CI secret stores.
• Jobs run arbitrary commands against production databases without a human sign‑off.
• Logs retain full credit‑card numbers because nothing redacts them before they are written.
• Auditors receive only a snapshot of pipeline configuration, not a chronological record of every data‑access event.

All of these gaps violate PCI DSS Requirement 10 (track and monitor all access) and Requirement 3 (protect stored cardholder data). The missing piece is a control point that sits between the CI job and the target system, where policy can be applied consistently.

The missing enforcement layer

The only reliable way to satisfy PCI DSS for non‑human identities is to insert a data‑path gateway that can:

• Inspect each request and compare it against a policy that requires explicit approval for privileged operations.
• Mask or truncate card numbers in responses before they reach the CI job, ensuring logs never retain raw PANs.
• Record the full session, commands sent, responses received, and the identity that initiated the request, so that auditors can retrieve a complete, immutable trail.

Without such a gateway, the enforcement outcomes (approval workflow, inline masking, session recording) cannot be guaranteed. Even if the CI system enforces role‑based access, the enforcement happens before the token is issued, not at the moment the request reaches the database. PCI DSS requires evidence that the control was exercised at the point of access, not merely that the user was assigned a role.

hoop.dev as the identity‑aware gateway

hoop.dev provides the mandatory data‑path component. It sits between the CI runner and every target that stores or processes cardholder data, PostgreSQL, MySQL, MongoDB, or an internal HTTP API. The gateway authenticates the CI job via OIDC, reads the associated group membership, and then applies PCI‑specific policies before the request is forwarded.

Because hoop.dev is the only point where traffic is inspected, it can:

• Generate continuous evidence: hoop.dev records each session, timestamps every command, and stores the logs in a secure audit store. Auditors can query the logs to prove compliance with Requirement 10.
• Enforce just‑in‑time approval: when a job attempts a high‑risk query (e.g., SELECT on a table that holds PANs), hoop.dev pauses the request and routes it to an authorized reviewer. The job proceeds only after an explicit approval, satisfying Requirement 7 (restrict access to cardholder data).
• Apply inline masking: hoop.dev automatically redacts responses that contain card numbers according to PCI DSS masking rules before they reach the CI environment, preventing accidental exposure in build logs.
• Isolate credentials: the gateway holds the database credentials, so the CI job never sees a secret. This eliminates the risk of credential leakage from logs or artifact storage.

hoop.dev makes these outcomes possible by occupying the data path. The setup still defines who may request access, but hoop.dev delivers the enforcement outcomes, approval, masking, recording.

How continuous evidence supports PCI DSS

PCI DSS auditors expect to see a chronological record that proves:

1. Who initiated each access request.
2. When the request occurred.
3. What data was accessed or modified.
4. Whether the access was approved according to policy.

hoop.dev fulfills each point automatically. Each session log includes the identity (derived from the OIDC token), a precise timestamp, the full command payload, and the masked response. The CI job cannot reconfigure the gateway, so the evidence remains untampered. This aligns with PCI DSS Requirement 10.6, which calls for “audit trails that cannot be altered.”

Getting started

To bring continuous PCI DSS evidence to your CI/CD pipelines, begin with the getting‑started guide. Deploy the gateway alongside your build agents, register each target database, and define a policy that requires approval for any query that touches cardholder data. The learn section contains detailed examples of masking rules and approval workflows. All configuration is expressed as declarative policies, and the open‑source repository on GitHub provides reference manifests.

When the gateway is in place, every machine‑initiated connection passes through hoop.dev, turning a previously invisible access pattern into a fully auditable, PCI‑compliant workflow.

FAQ

Does hoop.dev replace existing CI secret management?

No. Secret management remains the responsibility of your CI platform. hoop.dev simply never exposes those secrets to the job; it uses them internally to connect to the target.

Can I use hoop.dev with existing compliance tools?

Yes. You can stream the session logs to SIEMs or log‑aggregation services, where they can be correlated with other compliance data.

Is hoop.dev itself PCI DSS certified?

hoop.dev does not claim certification. It generates the evidence that helps your organization meet PCI DSS requirements.

Ready to see the code and contribute? Explore the open‑source repository on GitHub.