All posts
June 18, 20264 min read

PCI DSS for non-human identities: governing machine access end to end (on on-prem)

Many assume that simply assigning a service account to a server satisfies PCI DSS, but the standard demands continuous evidence of who accessed what and when, even for machines. In reality, most on‑prem environments still rely on static passwords, shared SSH keys, or long‑lived API tokens for automation. Those credentials are often copied across servers, never rotated, and the actions they perform are invisible to auditors. This lack of visibility creates two problems. First, the organization c

Free White Paper

PCI DSS + End-to-End Encryption: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many assume that simply assigning a service account to a server satisfies PCI DSS, but the standard demands continuous evidence of who accessed what and when, even for machines. In reality, most on‑prem environments still rely on static passwords, shared SSH keys, or long‑lived API tokens for automation. Those credentials are often copied across servers, never rotated, and the actions they perform are invisible to auditors.

This lack of visibility creates two problems. First, the organization cannot prove that non‑human identities are limited to the functions required for payment‑card processing. Second, without a central point of control, any rogue command can run unchecked, and there is no reliable log that ties a specific service account to a specific database query or configuration change.

Why PCI DSS needs evidence for non‑human identities

PCI DSS requirement 7 calls for restricting access to cardholder data to only those individuals and systems that need it. Requirement 10 requires that all access to system components be logged, and that logs be retained for at least one year. Requirement 12 mandates that security policies be maintained and that they cover all users, including service accounts and automated processes.

When an organization treats a service account like a human user, the same evidence is required: a record that shows the identity, the time of access, the resource touched, and the outcome of the operation. Unfortunately, most traditional tooling captures only the human side of the equation. Service accounts often authenticate directly to the target system, bypassing any audit layer, and the resulting logs are either incomplete or stored in a location that is difficult for auditors to access.

What the audit artifact set must contain

  • Identity‑bound session recordings – a replayable capture of every command issued by a service account, linked to the token that authenticated the request.
  • Command‑level audit logs – structured entries that include the service account name, the exact query or command, the timestamp, and the success or failure status.
  • Inline data masking logs – records that show which fields were redacted in responses, proving that sensitive cardholder data never left the protected boundary in clear text.
  • Just‑in‑time (JIT) approval trails – when a high‑risk operation is requested, the system logs the approval request, the approver’s identity, and the decision outcome.
  • Retention policy enforcement – guarantees that all of the above artifacts are kept for the PCI‑required retention period without manual intervention.

Each of these artifacts directly maps to a PCI DSS control. Together they form a complete evidence package that can be handed to an auditor without having to chase logs across multiple systems.

How hoop.dev delivers the required evidence

hoop.dev places a Layer 7 gateway in the data path between non‑human identities and the target infrastructure. Because every request flows through the gateway, hoop.dev can apply the enforcement outcomes needed for PCI DSS.

When a service account initiates a connection, hoop.dev validates the OIDC or SAML token, extracts the group membership, and then forwards the request to the target. While the traffic passes through the gateway, hoop.dev records the entire session, masks any cardholder fields in responses, and, if the command matches a high‑risk pattern, routes it to a human approver before execution. The gateway also writes a structured audit entry for every command, tying it to the original token.

Continue reading? Get the full guide.

PCI DSS + End-to-End Encryption: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Because the gateway holds the credential for the downstream system, the service account never sees the password or IAM key. This eliminates credential sprawl and ensures that revoking a token instantly cuts off access, satisfying the “least privilege” principle of PCI DSS.

Mapping hoop.dev capabilities to PCI DSS controls

PCI DSS controlhoop.dev artifact
7.1 – Limit access to cardholder dataJIT approval and policy‑driven scoping of each service account request
10.2 – Log all access to system componentsCommand‑level audit logs with identity, timestamp, and outcome
10.5 – Retain logs for at least one yearAutomated retention of session recordings and audit entries
12.3 – Develop and maintain security policiesPolicy definitions live in the gateway and are enforced on every request

By centralising these controls, hoop.dev produces a single, coherent evidence set that auditors can review, rather than piecing together logs from databases, SSH daemons, and CI pipelines.

Getting started with a PCI‑ready gateway

To adopt this approach, begin with the standard deployment guide. The quick‑start uses Docker Compose to spin up the gateway, configure OIDC authentication, and register your on‑prem resources. Once the gateway is running, register each non‑human identity as a scoped token and define the masking and approval policies that match your PCI DSS risk model.

For detailed steps, see the getting‑started documentation and the broader feature overview at hoop.dev/learn. Both pages walk through the high‑level architecture, policy definition, and how to retrieve the audit artifacts for an upcoming assessment.

FAQ

Do I need to change my existing service accounts?

No. hoop.dev works as a transparent proxy. Existing credentials stay where they are; the gateway simply mediates the connection and injects the audit layer.

Can hoop.dev mask data without affecting application performance?

Yes. Masking occurs at the protocol layer and is applied only to fields you explicitly configure, keeping latency low while still protecting cardholder data.

What if a high‑risk command is blocked?

The gateway logs the block, creates an approval request, and returns a clear error to the caller. The approval workflow is fully auditable and tied back to the original service account.

By placing a unified gateway in front of every machine‑to‑machine connection, you gain the continuous, identity‑bound evidence that PCI DSS requires for non‑human identities.

Explore the open‑source code and contribute to the project on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot