PCI Requirement 7
Restrict Access to Cardholder Data by Business Need to Know
Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. If someone’s job requires that they have access to cardholder data, grant it. But if they can function without it? Deny access. The more people who have access to cardholder data, the more risk there is. Limiting access to those with a legitimate business need can help your organization prevent mismanagement of cardholder data.
Our PCI Requirement 7 videos will discuss the systems and processes that must be in place to limit access to cardholder data based on business need to know. Click on a video below to get start with PCI Requirement 7.
PCI Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know
PCI Requirement 7 focuses on establishing access into your organization’s cardholder data environment through the lens of business need to know. PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.”
PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data
Why Limit Access to System Components and Cardholder Data?
We’ve…
We’ve…
PCI Requirement 7.1.1 – Define Access Needs for Each Role
PCI Requirement 7.1.1 outlines the first step in the process of establishing role-based access controls. PCI Requirement 7.1.1 states, “Define access needs for each role, including: system components and data resources that each role needs to access for their job function, and level of privilege required for accessing resources.”
PCI Requirement 7.1.2 – Restrict Access to Privileged User IDs to Least Privileges Necessary
Within your organization, you will obviously have personnel who require an elevated level of privilege. You will have some personnel with more responsibility than others, but you still need to limit the ability for someone to impact the security of the cardholder data environment.
PCI Requirement 7.1.3 – Assign Access Based on Individual Personnel’s Job Classification and Function
What is PCI Requirement 7.1.3?
PCI Requirement 7.1.3 states,…
PCI Requirement 7.1.3 states,…
PCI Requirement 7.1.4 – Require Documented Approval by Authorized Parties
PCI Requirement 7.1.4 states, “Require documented approval by authorized parties by specifying required privileges.” The PCI DSS explains that the purpose of documented approval, in writing or electronic, is to assure that those with access and privileges are known and authorized by management, and that their access is necessary for their job function.
PCI Requirement 7.2 – Establish an Access Control System
PCI Requirement 7.2 states, “Establish an access control system for system components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.”
PCI Requirement 7.2.1 – Coverage of all System Components
PCI Requirement 7.2.1 requires that your organization’s access control systems include coverage of all system components.
PCI Requirement 7.2.2 – Assignment of Privileges Based on Job Function
We’ve discussed least privileges and business need to know a lot during PCI Requirement 7, and PCI Requirement 7.2.2 is no different.
PCI Requirement 7.2.3 – Default “Deny-All” Setting
PCI Requirement 7.2.3 requires that your organization’s access control systems are set to a default “deny-all” setting, which means that no one is granted access, unless it’s explicitly assigned to someone.
PCI Requirement 7.3 – Ensure Policies and Procedures for Restricting Access to Cardholder Data are Documented, in Use, and Known to all Affected Parties
PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel.
