Compliance

PCI-DSS v4 authentication requirements for SaaS

August 2, 2025

Understanding PCI-DSS v4 Authentication Requirements for SaaS

The Payment Card Industry Data Security Standard (PCI-DSS) has undergone significant changes with the release of version 4, particularly in the area of authentication requirements. For SaaS providers, these changes are not just regulatory compliance but also a critical component of securing customer data and maintaining trust.

Key Requirements for SaaS Teams

  • Requirement 8.2: Multi-Factor Authentication (MFA) must be implemented for all users. This means that no single factor (such as a password) is sufficient to authenticate a user. MFA adds an extra layer of security by requiring users to provide multiple forms of verification, such as a password and a one-time code sent to their mobile device.
  • Requirement 8.3: Shared accounts must be disabled. In many SaaS environments, shared accounts are used to allow multiple users to access the same system. However, this practice is a major security risk, as it makes it difficult to track who did what and when. Bastionary can help SaaS teams identify and disable shared accounts.
  • Requirement 8.4: Service accounts must be managed with the same level of security as user accounts. Service accounts are often used to automate tasks within the SaaS environment. However, if not properly managed, they can become a significant security risk. Bastionary provides tools to monitor and control service account activity.
  • Requirement 8.5: Session timeouts must be enforced. This means that after a certain period of inactivity, the user session must be terminated. This helps prevent unauthorized access to the system. Bastionary can be configured to enforce session timeouts based on the SaaS provider's policies.
  • Requirement 8.6: Admin access controls must be strictly enforced. This includes limiting the number of users with administrative privileges and ensuring that these users are properly monitored. Bastionary provides detailed audit logs and access control features to help SaaS teams meet this requirement.

Key Insight: While PCI-DSS v4 is a set of requirements, it is also a framework for building a secure authentication system. SaaS providers must not only comply with the requirements but also understand the underlying principles to build a robust security posture.

Implementing PCI-DSS v4 in a SaaS Environment

Implementing PCI-DSS v4 in a SaaS environment requires a combination of technical expertise and strategic planning. Here are some practical steps that SaaS teams can take:

  • Deploy MFA: Use a platform like Bastionary to implement MFA across all user accounts. This ensures that even if a password is compromised, the user cannot access the system without the second factor.
  • Disable Shared Accounts: Use Bastionary's account management features to identify and disable shared accounts. This reduces the risk of unauthorized access and helps maintain compliance.
  • Monitor Service Accounts: Use Bastionary's audit logs to monitor service account activity. This helps detect and respond to any suspicious behavior.
  • Enforce Session Timeouts: Configure Bastionary to enforce session timeouts based on the SaaS provider's policies. This helps prevent unauthorized access due to prolonged inactivity.
  • Implement Admin Access Controls: Use Bastionary's role-based access control (RBAC) features to limit the number of users with administrative privileges. This ensures that only authorized users can perform critical operations.