Although PCI DSS 4.0 was released in March 2022, certain parts became either required or a suggested best practice in March 2024 and the rest will become required in March 2025. We looked for the parts where we could help current and future customers with their compliance efforts. While most of the changes around passwords have to do with complexity and rotation, one stood out: requirement 8.6.2, which has to do with hard-coded passwords in software. 

GitGuardian's flagship secrets detection service embodies 8.6.2

8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded [sic] in scripts, configuration/property files, or bespoke and custom source code. 

This is not just in GitGuardian's wheelhouse, but is the foundation of our original wheelhouse. We have over 300 specific detection engines that catch hard-coded passwords, passphrases, API keys, and more in source code, configuration files, Slack messages, Jira tickets... They are highly tuned and monitored to ensure maximum coverage with minimum false-positive results. And when a secret is detected, we offer workflow management tools to ensure it's handled.

The subparagraphs fall well within our abilities too. In 8.6.2.a, compliance includes interviewing personnel and examining systems to ensure hard-coding credentials in software isn't happening and specifying explicitly that they aren't to be hard-coded going forward. That's a great policy recommendation, but policies don't work consistently without consistent monitoring to ensure they're followed (and to issue corrective action when they're not). 

GitGuardian can scan your existing codebase for issues you need to fix and you can implement automations to integrate GitGuardian into your source code management systems, such as GitHub or Gitlab, to catch and block commits that add hard-coded secrets to the codebase. Our secret-blocking and secret scanning tools mean you don't have to worry if your developers follow the new policy perfectly, because our smart automations are backstopping that policy. 

We won't get wordy about 8.6.2.b because it basically describes what our secrets detectors do.

So, yes, we can help

Besides being the perfect service to meet the requirements of 8.6.2, we have a number of articles and blog posts about security best practices. From our article on top secrets managers to specific advice like how to handle secrets in Helm, we've got you covered with tips and guidance. With our full suite of services, we can also help you meet the requirements of multiple laws and regulations that are either on the horizon or recently took effect. 

If you'd like to learn more about how GitGuardian can help you meet your PCI DSS compliance requirements before the deadline hits in 2025, book a demo with our knowledgeable and friendly staff.