How Meridian Bank Achieved PCI-DSS Compliance and Reduced Privileged Access Risk by 94%

Meridian Bank operates across 14 countries with a hybrid infrastructure spanning on-premises data centres, private cloud, and three major public cloud providers. Like many established financial institutions, their privileged access landscape had grown organically over many years — service accounts created for projects long since completed, shared admin credentials for legacy systems, and inconsistent practices across regional IT teams.

When the bank's CISO commissioned an internal audit ahead of a scheduled PCI-DSS assessment, the results were concerning. The audit identified more than 12,400 privileged accounts across the environment. Of these, approximately 3,200 had not been accessed in over 90 days but remained active. Over 800 accounts had passwords that had not been rotated in more than 12 months. Privileged session recording was in place for fewer than 30% of in-scope systems. Administrative access to cardholder data environment (CDE) components was not consistently logged or reviewed.

The bank faced a convergence of pressures. Their upcoming PCI-DSS assessment required demonstrable controls under Requirements 7, 8, and 10. Their cyber insurance renewal required evidence of privileged access controls as a prerequisite for coverage. And their security team wanted to move from a reactive, largely manual process to an automated, policy-driven PAM capability.

The key requirements for any solution were: ability to manage privileged access across on-premises Linux and Windows systems, Oracle and SQL Server databases, VMware infrastructure, AWS, Azure, and legacy mainframe systems; integration with their existing Active Directory and CyberArk ITSM deployment; high availability with no single point of failure; auditability sufficient to satisfy both internal and external audit requirements; and deployability within a four-month timeline to meet the PCI assessment window.

Meridian chose OmniPriv for its hybrid coverage, database proxy capabilities, and the pre-built PCI-DSS compliance report templates. The deployment was structured in three phases.

Phase one focused on the CDE and highest-risk systems. Within six weeks, all privileged access to cardholder data environment components was flowing through OmniPriv's bastion host. All administrator credentials were vaulted and on automated rotation cycles. Session recording was enabled for 100% of CDE access.

Phase two extended coverage to the broader data centre and cloud environments. The team used OmniPriv's cloud asset sync to automatically discover and onboard AWS IAM roles, Azure service principals, and GCP service accounts. Over 4,000 accounts were discovered and onboarded during this phase, including 890 previously unknown service accounts.

Phase three implemented Just-in-Time access for the most sensitive operations — domain controller access, database administrator operations on production systems, and changes to security infrastructure. Approval workflows were configured requiring L2 sign-off for CDE operations and CISO notification for emergency break-glass access.

At the time of the PCI-DSS assessment, the bank presented: 100% session recording coverage for all in-scope systems, automated credential rotation with configurable schedules, a privileged account inventory with documented ownership and access justification for every account, automated quarterly access reviews, and 12 months of tamper-proof audit logs.

The assessment passed on the first attempt — the first time that had been achieved in the bank's history. The CISO reported a measured reduction of 94% in their privileged access risk score as calculated by their enterprise risk management platform, primarily attributable to the elimination of shared credentials, the reduction in standing privileged access, and the removal of 3,800 dormant accounts.

The security operations team also reported a significant improvement in incident response capability, with privileged session recordings enabling rapid reconstruction of the timeline in two separate security investigations conducted in the months following deployment.