For companies handling cardholder data, PCI DSS requires the protection of sensitive payment card data. PCI DSS mandates secure storage of encryption keys, multi-factor authentication (MFA), and strict access controls, all of which relate to secrets security.
Although PCI DSS 4.0 was released in March 2022, certain parts became either required or a suggested best practice in March 2024 and the rest will become required in March 2025. We looked for the parts where we could help current and future customers with their compliance efforts. While most of the changes around passwords have to do with complexity and rotation, one stood out: requirement 8.6.2, which has to do with hard-coded passwords in software.
GitGuardian's flagship secrets detection service embodies 8.6.2
8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded [sic] in scripts, configuration/property files, or bespoke and custom source code.
This is not just in GitGuardian's wheelhouse, but is the foundation of our original wheelhouse. We have over 300 specific detection engines that catch hard-coded passwords, passphrases, API keys, and more in source code, configuration files, Slack messages, Jira tickets... They are highly tuned and monitored to ensure maximum coverage with minimum false-positive results. And when a secret is detected, we offer workflow management tools to ensure it's handled.
The subparagraphs fall well within our abilities too. In 8.6.2.a, compliance includes interviewing personnel and examining systems to ensure hard-coding credentials in software isn't happening and specifying explicitly that they aren't to be hard-coded going forward. That's a great policy recommendation, but policies don't work consistently without consistent monitoring to ensure they're followed (and to issue corrective action when they're not).
GitGuardian can scan your existing codebase for issues you need to fix and you can implement automations to integrate GitGuardian into your source code management systems, such as GitHub or Gitlab, to catch and block commits that add hard-coded secrets to the codebase. Our secret-blocking and secret scanning tools mean you don't have to worry if your developers follow the new policy perfectly, because our smart automations are backstopping that policy.
We won't get wordy about 8.6.2.b because it basically describes what our secrets detectors do.
What are the risks of a non compliance
- Non-compliant organizations can face substantial fines from card networks like Visa, MasterCard, and American Express. These fines can range from $5,000 to $100,000 per month, depending on the severity and duration of non-compliance.
- Additional fines may be imposed in the event of a data breach.
- Organizations may be held legally responsible for breaches that expose cardholder data, leading to lawsuits, settlements, or judgments. This can involve class-action lawsuits from affected customers or regulatory enforcement actions.
- In cases of severe non-compliance, payment processors and banks can revoke an organization’s ability to process credit card transactions, disrupting operations and leading to significant revenue loss.
- Non-compliance with PCI DSS may void cyber insurance policies, leaving an organization financially vulnerable after a security incident or breach.
- Non-compliance can result in an organization having to compensate customers for losses due to fraudulent transactions. In some cases, banks may also demand compensation for the reissuing of compromised cards.
So, yes, we can help
Here’s how GitGuardian helps financial companies to ensure regulatory compliance:
Besides being the perfect service to meet the requirements of 8.6.2, we have a number of articles and blog posts about security best practices. From our article on top secrets managers to specific advice like how to handle secrets in Helm, we've got you covered with tips and guidance. With our full suite of services, we can also help you meet the requirements of multiple laws and regulations that are either on the horizon or recently took effect.
If you'd like to learn more about how GitGuardian can help you meet your PCI DSS compliance requirements before the deadline hits in 2025, book a demo with our knowledgeable and friendly staff.