All posts
June 18, 20263 min read

PCI DSS for non-human identities: governing machine access end to end (on Postgres)

A CI pipeline that pushes nightly builds to a PostgreSQL replica keeps a static service‑account password in a shared secret store, while an offboarded contractor’s key remains active because the team never rotates it. When a security auditor asks for proof that every machine‑initiated query to the cardholder‑data database was authorized and logged, the answer often reads, “we have logs, but they are incomplete and the credentials are still in use.” This scenario shows why non‑human identities po

Free White Paper

PCI DSS + End-to-End Encryption: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A CI pipeline that pushes nightly builds to a PostgreSQL replica keeps a static service‑account password in a shared secret store, while an offboarded contractor’s key remains active because the team never rotates it. When a security auditor asks for proof that every machine‑initiated query to the cardholder‑data database was authorized and logged, the answer often reads, “we have logs, but they are incomplete and the credentials are still in use.” This scenario shows why non‑human identities pose a unique challenge for PCI DSS compliance.

Why the current approach falls short of PCI DSS expectations

Most organizations treat service accounts like human users: they grant broad database privileges, store the credential in a configuration file, and rely on the database’s native audit log. The setup satisfies the basic requirement that an identity exists, but it does not satisfy PCI DSS requirement 10, which demands detailed tracking of who accessed cardholder data and when. The audit records tie to the database process, not to the individual machine identity, and they cannot prove that a particular CI job or automation script received approval before it ran. Because the credential never changes, a compromised secret can be used indefinitely, violating the principle of least privilege and the requirement to protect stored cardholder data.

What a proper control model must include

To meet PCI DSS, a control model for non‑human identities needs three pieces:

  • Identity verification: each machine must present a token that proves its membership in a specific service‑account group.
  • Enforcement at the data path: the gateway that actually talks to PostgreSQL must approve, block, or mask requests before they reach the database.
  • Continuous evidence: every approval decision, command execution, and data response must be recorded in an immutable audit trail that auditors can review on demand.

If the first two items succeed but the data‑path enforcement point is missing, the organization cannot generate the third. The enforcement outcomes, session recording, inline masking, just‑in‑time approval, appear only when a gateway sits between the identity provider and PostgreSQL.

How hoop.dev provides PCI DSS evidence for PostgreSQL

hoop.dev is a Layer 7 gateway that proxies PostgreSQL connections. It authenticates machines via OIDC or SAML, reads group membership, and then decides whether the request may proceed. Because the gateway sits in the data path, it enforces policies that the database itself cannot.

hoop.dev records each session, captures the exact SQL statement, and stores the result of any masking operation. hoop.dev stores every approval decision, each command execution, and every data response in an immutable audit trail. If a query attempts to read a column that contains PAN (primary account number), hoop.dev masks that field in real time, ensuring that the raw PAN never leaves the gateway.

When a high‑risk operation, such as a bulk export of transaction tables, arrives, hoop.dev pauses the request and routes it to a human approver. The approver’s decision logs alongside the session, creating a concrete audit record that satisfies PCI DSS requirement 10. Because hoop.dev stores the credential used to connect to PostgreSQL, the machine never sees the password, eliminating the risk of credential leakage.

Continue reading? Get the full guide.

PCI DSS + End-to-End Encryption: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

All of these enforcement outcomes originate from hoop.dev, not from the underlying identity system or from PostgreSQL itself. If the gateway were removed, the same identity token would still be presented, but the session would no longer be recorded, the masking would not occur, and the approval workflow would be bypassed. Therefore, hoop.dev is the essential component that turns a simple token‑based connection into a PCI DSS‑ready audit trail.

Mapping hoop.dev capabilities to specific PCI DSS requirements

Requirement 10 – Track access to cardholder data: hoop.dev creates a per‑session log that includes the machine identity, timestamp, SQL statement, and outcome. Approvals appear as separate events linked to the session.

Requirement 3 – Protect stored cardholder data: hoop.dev masks sensitive fields inline, preventing raw PAN from being exposed to the client.

Requirement 7 – Restrict access to least privilege: hoop.dev grants temporary rights that automatically revoke when the session ends, preventing long‑lived over‑privileged credentials.

Requirement 12 – Maintain an information‑security policy: hoop.dev’s configuration stores policy definitions, providing a single source of truth for how non‑human identities may interact with PostgreSQL.

Getting started with hoop.dev for PostgreSQL

Deploy the gateway using the quick‑start Docker Compose file, configure PostgreSQL as a connection, and point your CI jobs to the hoop.dev endpoint instead of the raw database host. The documentation walks you through OIDC integration, policy definition, and enabling inline masking for specific columns. For a step‑by‑step walkthrough, see the getting‑started guide. The learn section provides deeper coverage of masking policies, approval workflows, and audit‑log retention.

FAQ

Can hoop.dev replace existing database audit logs?
hoop.dev complements native logs by adding identity context, real‑time masking, and approval records. It does not replace the database’s internal logging but provides the evidence that PCI DSS auditors require.

What happens if a service account is compromised?
Because hoop.dev retains the credential, an attacker who steals the service‑account secret cannot use it directly. Even if the attacker reaches the gateway, hoop.dev still subjects every command to masking and approval policies, and it records every attempt.

Is hoop.dev certified for PCI DSS?
hoop.dev does not claim certification. It generates the continuous evidence that organizations need to demonstrate compliance with PCI DSS.

Explore the open‑source repository to see how the gateway is built and contribute improvements: github.com/hoophq/hoop.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot