PCI-DSS and Workday: When Payroll Data Becomes a Compliance Problem
Most teams assume Workday is out of PCI-DSS scope because it doesn't store card numbers. That changes the moment an expense integration pushes card data through Workday Studio, or a benefits enrolment workflow stores bank account and routing numbers in custom fields. Here is when Workday falls in scope and what to do about it.
1. The scope trigger
Once card data flows through the tenant, the security around that data is in scope. Common triggers: expense integrations from Concur or SAP Expense; benefits enrolment workflows storing bank account / routing numbers in custom object fields; T&E reimbursement integrations with corporate card data.
2. The PCI-DSS requirements that hit hardest
- Req 7 — Restrict access by need-to-know. Maps to security groups and DSPs on PCI-scoped fields.
- Req 8 — Identify and authenticate access. Maps to ISU credential rotation and MFA on admin accounts.
- Req 10 — Track and monitor access. Maps to Workday's audit log retention.
3. How to assess scope cleanly
Map every integration that touches a PAN, expiry date, or magnetic-stripe data, plus every custom field storing bank account or routing numbers. The combined inventory is your PCI scope inside Workday. Document it once, then maintain it as part of your standard change control.
4. The Yoetz.ai PCI tag
Every Yoetz.ai finding on a PCI-scoped field is tagged with the PCI requirement it impacts. The same scan that produces SOX evidence also produces PCI ROC/SAQ-ready evidence.
Continue reading
Find out what's broken in your tenant
Free first scan. Read-only access. Results in under 2 hours.
Start Your Free Scan