Executive Summary
As the Q1 deadline loomed for mandatory PCI DSS 4.0.1 access review requirements, Conifer Retail—a mid-sized omni-channel retailer—found itself at a dangerous inflection point. A failed compliance audit exposed critical weaknesses in its identity and access management (IAM) program, threatening not only customer trust but also the company’s eligibility to process cardholder data.
This narrative follows Conifer Retail’s urgent pivot: from audit failure and regulatory pressure to a proactive identity-first governance model powered by Veza’s Access platform.
Introduction
By the close of Q1, PCI DSS 4.0 requirements around access control, especially periodic access reviews and role-based access enforcement, had shifted from best practice to hard mandate. Many organizations struggled to meet the increased rigour, particularly those operating legacy systems or grappling with rapid workforce shifts. Conifer Retail was no exception.
Their wake-up call came in March: a failed PCI audit tied directly to unmanaged service accounts, outdated user access, and a lack of formal periodic reviews. What followed was a company-wide reckoning and a strategic pivot to fix what had long gone unaddressed.
The Compliance Tipping Point
When Conifer Retail’s audit results landed, the findings weren’t shocking, just long overdue. The report cited violations of PCI DSS 4.0 Requirements 7.2.4 (incomplete or missing access reviews), 8.2 (inconsistent MFA enforcement), and 7.2.5 (failure to enforce least privilege). QA environments still relied on shared credentials, and some critical systems hadn’t undergone a formal access review in over 18 months. This painted a clear picture: their access control program couldn’t scale with the business, let alone comply with PCI DSS 4.0.
Behind the scenes, the IT security lead had long flagged these issues, but without automation or visibility across their growing cloud footprint, remediation stalled. Manual reviews in spreadsheets and siloed admin logs simply couldn’t keep pace. Now, under scrutiny from both assessors and executive leadership, Conifer Retail had a choice: modernize or risk real operational fallout.
Veza Enters the Picture
Conifer Retail’s security and compliance teams quickly aligned on a north star: they needed to know, with confidence, who could access what, and why, across their hybrid enterprise.
Enter Veza.
Veza’s identity security platform gave Conifer Retail what they critically lacked: unified, real-time visibility into who had access to what—and why—across all identities, human and non-human. During the initial discovery phase, the team surfaced:
- 1,000+ outdated role assignments
- 300 over-privileged service accounts
- 150 toxic permission combinations
- 100+ instances of unnecessary administrative access across Snowflake, AWS, and Salesforce
These findings directly addressed violations of Requirement 7.2.4 (access reviews), 7.2.5 (least privilege), and 8.2 (MFA and unique ID enforcement).
What had previously taken weeks of manual effort now surfaced in minutes. Veza’s automated reviews, entitlement mapping, and audit-ready evidence transformed Conifer’s access governance from reactive cleanup to proactive control.
Building the Access Review Engine
Using Veza, Conifer Retail stood up a new semi-annual access review workflow aligned to PCI DSS 4.0 Requirement 7.2.4. The process was no longer reactive. It was continuous, complete, and automated.
They began by mapping roles to access, tying job functions to approved entitlements in Salesforce, Snowflake, and Databricks. Next, they uncovered dormant accounts, over-privileged users, and toxic combinations, like QA engineers with production deletion rights. With Veza’s platform generating tailored review tasks for each manager, Conifer Retail not only found and fixed violations but also documented every action for the auditor’s eyes.
By late April, a new audit report showed full remediation. Veza’s audit logs, access graphs, and review workflows served as clear evidence of compliance.
Separation of Duties and the Service Account Problem
Conifer Retail also had to tackle a growing pain point: service accounts. Their use had exploded across automation workflows, but ownership and access weren’t tracked.
Veza’s visibility into non-human identities helped Conifer Retail pinpoint shadow access paths and service accounts with outdated secrets and unnecessary privileges. These were brought under centralized policy, ownership was assigned, and least-privilege enforcement was put in place.
They also uncovered SoD violations like finance users with approval and initiation rights in Coupa, or shared access to S3 buckets among dev and ops teams. These access paths were flagged, resolved, and set up for continuous monitoring.
Looking Ahead
Now operating with a sustainable, automated governance model, Conifer Retail isn’t just compliant; it’s prepared for the evolving landscape of compliance and security. After just 90 days, they saw tangible results:
- 75% reduction in shared credentials
- 100% MFA enforcement on critical systems
- 50% decrease in over-privileged accounts
- Full documentation trail for PCI DSS 4.0 compliance
The next wave of audits will come, as will changes in team structure, tools, and risk posture. But this time, access control won’t be the weak link.
With Veza, they’ve shifted from check-the-box compliance to a modern security posture rooted in visibility, accountability, and continuous access governance. It’s not just about passing audits—it’s about building trust at every layer of the enterprise.
Conclusion
The PCI DSS 4.0 transition is more than a technical upgrade—it’s a cultural shift. For Conifer Retail, a failed audit was the catalyst. For others, it’s a ticking clock. Wherever your organization stands, one truth is clear: You can’t govern what you can’t see. Veza provides the visibility, control, and context required to navigate this new era of compliance with confidence.
Ready to strengthen your PCI DSS 4.0 compliance posture?
Veza empowers organizations like yours to move from reactive audit prep to continuous, identity-first compliance.
Explore how:
- Demonstrating PCI DSS 4.0 Compliance with Veza’s Identity Security Platform – See real-world use cases and platform capabilities mapped directly to PCI DSS 4.0 requirements.
- Achieving, Demonstrating, and Maintaining PCI DSS Compliance with Veza – Learn how financial services organizations are transforming compliance into a strategic advantage.
- Next-Gen IGA – Discover how Veza’s modern approach to identity governance helps you implement least privilege, mitigate risk, and stay ahead of evolving regulatory demands.
Don’t wait for your next audit to find the gaps. Start securing your identities today.
About the Authors:
This article was developed in collaboration between Matthew Romero, Technical Product Marketing Manager at Veza, and Jason Taylor, Senior Solutions Engineer at Veza.
Jason brings deep, customer-facing experience to the identity security conversation. With a background that includes technical roles at Okta and Veza, he works side-by-side with security teams to solve real-world access challenges—from taming over-permissioned accounts to operationalizing Data Security & Stewardship (DSS) frameworks. His strength lies in translating complex technical capabilities into actionable steps that help teams gain visibility, enforce least privilege, and pass audits with confidence.
Matthew complements that boots-on-the-ground insight with a strategic marketing lens—focusing on how organizations communicate, quantify, and prioritize access risk. At Veza, he helps bridge the gap between product innovation and buyer needs, ensuring that identity-first security stories resonate with security, compliance, and executive stakeholders alike.
Connect with the authors:
Jason Taylor – LinkedIn
Matthew Romero – LinkedIn
