PCI DSS for non-human identities: governing machine access end to end (on GCP)

Why machine identities are a blind spot

Many assume that service accounts automatically satisfy PCI DSS because they are just “non‑human” credentials. The reality is that a service account can be as risky as a human password if it is over‑privileged, shared across teams, and never audited. In most GCP environments, engineers create a single JSON key for a workload, copy it to several CI pipelines, and grant the key permissions to read and write every database that processes cardholder data. The key lives on disks, in version‑control histories, and in backup archives. When a breach occurs, investigators cannot tell which automated job accessed which table, what data was returned, or whether the request complied with the organization’s segregation‑of‑duties policies.

The missing enforcement layer

The first step toward PCI DSS compliance is to treat machine identities like any other privileged principal: define who the request is, enforce least‑privilege, and require explicit justification. Identity providers and IAM policies can answer the question “who may act as this service account,” but they stop short of controlling what the service actually does once the connection is opened. The request still travels directly to Cloud SQL, BigQuery, or a GKE node without any gate that can inspect the payload, mask PANs, or require a manager’s approval before a destructive command runs. Without a data‑path enforcement point, the organization cannot produce the granular logs, masked data extracts, and approval trails that PCI DSS expects for every access to cardholder data.

hoop.dev as the data‑path gateway

hoop.dev inserts a Layer 7 gateway between the non‑human identity and the GCP resource. The setup phase uses OIDC or SAML to authenticate the service account, and IAM roles define the maximum scope of the identity. This authentication step decides who the request is, but it does not enforce any policy on its own.

All traffic then passes through the gateway, which is the only place enforcement can happen. Because hoop.dev sits in the data path, it can:

• Record each session, capturing the exact query or command issued by the machine.
• Apply real‑time masking to any response that contains primary account numbers, ensuring that logs never store raw PANs.
• Require just‑in‑time approval for high‑risk operations such as bulk data export or schema changes.
• Block dangerous commands before they reach the target, for example preventing a DELETE without a WHERE clause.
• Provide replay capability so auditors can replay a session and verify that the observed behavior matches the recorded policy.

Every enforcement outcome exists only because hoop.dev is positioned in the data path. If the gateway were removed, the same IAM role would still allow the service to connect, but none of the above controls would be applied.

For teams getting started, the getting started guide walks through deploying the gateway in a GCP VPC, registering a Cloud SQL instance, and configuring OIDC for a service account. The learn section details how to define masking rules for credit‑card fields and how to configure just‑in‑time approval workflows.

Audit artifacts for PCI DSS

PCI DSS Requirement 10 calls for “track and monitor all access to network resources and cardholder data.” When machine identities are used, the standard expects the same level of evidence as for human users. hoop.dev supplies the following artifacts:

• Session logs: a timestamped record of every query, command, and response, linked to the authenticated service identity.
• Masked data extracts: logs contain only masked versions of PANs, satisfying the requirement to protect stored cardholder data while still proving what data was accessed.
• Approval records: any request that triggered a just‑in‑time approval workflow stores the approver’s identity, decision, and justification.
• Command‑level audit: blocked commands are logged with the reason for denial, demonstrating enforcement of segregation‑of‑duties.
• Replay files: auditors can replay a session in a sandbox to verify that the observed behavior matches the recorded policy.

These artifacts are generated automatically by hoop.dev and can be exported in JSON or CSV for inclusion in the auditor’s evidence package. Because the gateway never hands the raw credential to the client, the auditor can also verify that no secret was exposed during the session.

FAQ

How does hoop.dev satisfy PCI DSS Requirement 10?

Requirement 10 demands detailed logs of all access to cardholder data. hoop.dev records each session, masks sensitive fields, and ties every action to a verified service identity, providing the exact evidence the standard requires.

Do I need to replace my existing IAM policies?

No. IAM continues to define the maximum permissions for each service account. hoop.dev adds a complementary enforcement layer that operates after authentication, ensuring that only authorized actions are allowed and that every action is auditable.

Is hoop.dev open source?

Yes. The gateway is MIT licensed and the source code is available on GitHub. Teams can review, extend, or contribute to the project as needed.

Explore the source code and contribute on GitHub.