These snippits relate to the blog post
The Great VPN Myth: What PCI DSS 4.0 Actually Requires for Remote Access
https://www.pomerium.com/blog/the-great-vpn-myth-what-pci-dss-40-actually-requires-for-remote-access
These snippits relate to the blog post
The Great VPN Myth: What PCI DSS 4.0 Actually Requires for Remote Access
https://www.pomerium.com/blog/the-great-vpn-myth-what-pci-dss-40-actually-requires-for-remote-access
# Admin access requiring device identity and MFA | |
allow: | |
and: | |
- authenticated_user: true | |
- device: | |
approved: true | |
type: enclave_only | |
- groups: | |
has: pci-admin | |
# is this a known, company managed device by cert | |
- client_certificate: | |
san_email: | |
ends_with: '@company.com' | |
deny: | |
or: | |
- invalid_client_certificate: true | |
- http_method: | |
is: DELETE |
# Finance team access to cardholder data | |
allow: | |
and: | |
- authenticated_user: true | |
- groups: | |
has: pci-authorized-finance | |
- http_path: | |
starts_with: /cardholder-data | |
- device: | |
approved: true | |
type: enclave_only | |
deny: | |
or: | |
- invalid_client_certificate: true |
# Comprehensive PCI DSS compliant policy | |
allow: | |
and: | |
# Identity verification | |
- authenticated_user: true | |
- domain: | |
is: company.com | |
# Role-based access | |
- groups: | |
has: pci-authorized | |
# Device security | |
- device: | |
approved: true | |
type: enclave_only | |
# Certificate validation | |
- client_certificate: | |
san_email: | |
ends_with: '@company.com' | |
# Time-based controls | |
- time_of_day: | |
timezone: UTC | |
after: 9:00:00 | |
before: 17:00:00 | |
- day_of_week: mon-fri | |
deny: | |
or: | |
# Security controls | |
- invalid_client_certificate: true | |
- http_method: | |
is: DELETE | |
# Suspicious patterns | |
- http_path: | |
contains: /admin |
{ | |
"level": "info", | |
"service": "authorize", | |
"request-id": "46747f58-a3d2-4f6b-9d7c-f3209e16c8b1", | |
"method": "GET", | |
"path": "/cardholder-data/transactions", | |
"host": "payment.corp.example.com", | |
"session-id": "46b36e11-9938-4c97-b869-b9237573f04f", | |
"allow": true, | |
"allow-why-true": ["policy-match"], | |
"deny": false, | |
"deny-why-false": [], | |
"user": "941b0719-89c2-40fa-a25d-c6c7039f7a8f", | |
"email": "finance-user@company.com", | |
"time": "2024-03-16T14:22:55Z", | |
"message": "authorize check" | |
} |
{ | |
"level": "info", | |
"service": "authorize", | |
"request-id": "8675309a-1234-5678-90ab-cdef12345678", | |
"method": "POST", | |
"path": "/cardholder-data/modify", | |
"host": "payment.corp.example.com", | |
"session-id": "98765432-abcd-efgh-ijkl-mnopqrstuvwx", | |
"allow": false, | |
"allow-why-false": ["group-membership-required"], | |
"deny": true, | |
"deny-why-true": ["outside-business-hours"], | |
"user": "72f20a3b-9876-5432-10fe-dcba09876543", | |
"email": "vendor@partner.com", | |
"time": "2024-03-16T03:15:22Z", | |
"message": "authorize check" | |
} |
# Temporary vendor access with strict time controls | |
allow: | |
and: | |
- email: | |
ends_with: '@vendor-company.com' | |
- groups: | |
has: external-contractor | |
- authenticated_user: true | |
- time_of_day: | |
timezone: UTC | |
after: 9:00:00 | |
before: 17:00:00 | |
- day_of_week: mon-fri | |
- device: | |
type: any | |
- client_certificate: | |
san_email: | |
ends_with: '@vendor-company.com' |