PCI Requirement 7

PCI Requirement 7

Restrict Access to Cardholder Data by Business Need to Know

Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. If someone’s job requires that they have access to cardholder data, grant it. But if they can function without it? Deny access. The more people who have access to cardholder data, the more risk there is. Limiting access to those with a legitimate business need can help your organization prevent mismanagement of cardholder data.

Our PCI Requirement 7 videos will discuss the systems and processes that must be in place to limit access to cardholder data based on business need to know. Click on a video below to get start with PCI Requirement 7.

PCI Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know

PCI Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know

PCI Requirement 7 focuses on establishing access into your organization’s cardholder data environment through the lens of business need to know. PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.”
November 28, 2017/by Jeff Wilder
PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data

PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data

Why Limit Access to System Components and Cardholder Data?
We’ve…
November 28, 2017/by Jeff Wilder
PCI Requirement 7.1.1 – Define Access Needs for Each Role

PCI Requirement 7.1.1 – Define Access Needs for Each Role

PCI Requirement 7.1.1 outlines the first step in the process of establishing role-based access controls. PCI Requirement 7.1.1 states, “Define access needs for each role, including: system components and data resources that each role needs to access for their job function, and level of privilege required for accessing resources.”
November 28, 2017/by Jeff Wilder
PCI Requirement 7.1.2 – Restrict Access to Privileged User IDs to Least Privileges Necessary

PCI Requirement 7.1.2 – Restrict Access to Privileged User IDs to Least Privileges Necessary

Within your organization, you will obviously have personnel who require an elevated level of privilege. You will have some personnel with more responsibility than others, but you still need to limit the ability for someone to impact the security of the cardholder data environment.
November 28, 2017/by Jeff Wilder
PCI Requirement 7.1.3 - Assign Access Based on Individual Personnel’s Job Classification and Function

PCI Requirement 7.1.3 – Assign Access Based on Individual Personnel’s Job Classification and Function

What is PCI Requirement 7.1.3?
PCI Requirement 7.1.3 states,…
November 28, 2017/by Jeff Wilder
PCI Requirement 7.1.4 – Require Documented Approval by Authorized Parties

PCI Requirement 7.1.4 – Require Documented Approval by Authorized Parties

PCI Requirement 7.1.4 states, “Require documented approval by authorized parties by specifying required privileges.” The PCI DSS explains that the purpose of documented approval, in writing or electronic, is to assure that those with access and privileges are known and authorized by management, and that their access is necessary for their job function.
November 28, 2017/by Jeff Wilder
PCI Requirement 7.2 – Establish an Access Control System

PCI Requirement 7.2 – Establish an Access Control System

PCI Requirement 7.2 states, “Establish an access control system for system components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.”
November 28, 2017/by Jeff Wilder
PCI Requirement 7.2.1 – Coverage of all System Components

PCI Requirement 7.2.1 – Coverage of all System Components

PCI Requirement 7.2.1 requires that your organization’s access control systems include coverage of all system components.
November 28, 2017/by Jeff Wilder
PCI Requirement 7.2.2 – Assignment of Privileges Based on Job Function

PCI Requirement 7.2.2 – Assignment of Privileges Based on Job Function

We’ve discussed least privileges and business need to know a lot during PCI Requirement 7, and PCI Requirement 7.2.2 is no different.
November 28, 2017/by Jeff Wilder
PCI Requirement 7.2.3 – Default “Deny-All” Setting

PCI Requirement 7.2.3 – Default “Deny-All” Setting

PCI Requirement 7.2.3 requires that your organization’s access control systems are set to a default “deny-all” setting, which means that no one is granted access, unless it’s explicitly assigned to someone.
November 28, 2017/by Jeff Wilder
PCI Requirement 7.3 – Ensure Policies and Procedures for Restricting Access to Cardholder Data are Documented, in Use, and Known to all Affected Parties

PCI Requirement 7.3 – Ensure Policies and Procedures for Restricting Access to Cardholder Data are Documented, in Use, and Known to all Affected Parties

PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel.
November 28, 2017/by Jeff Wilder