What is PCI Requirement 7.2.2?

We’ve discussed least privileges and business need to know a lot during PCI Requirement 7, and PCI Requirement 7.2.2 is no different. PCI Requirement 7.2.2 requires that your organization’s access control systems assign privileges based on job classification and function. If a job doesn’t require certain access to function, there’s no need to grant that access.

Access control systems help protect your organization from unknowingly granting access to the cardholder data environment to an unauthorized user. Access control systems and implementing PCI Requirement 7.2.2 help your organization automate the process of restricting access and assigning privileges based on job function and function.

During a PCI assessment, your system settings and relevant documentation will be examined to verify that your access control systems are configured to enforce privileges assigned to individuals based on job classification and function.

PCI Requirement 7.2.2 is about assigning these privileges that we’ve been talking about for role based access controls. Later on in the assessment, in Requirement 8, assessors are going to be getting copies of these user request forms and artifacts, either electronic or physical, and then testing the systems and making sure that whatever permissions you’ve assigned to these individuals is actually what’s been assigned. Requirement 7 is about role based access controls and making sure that only the necessary privileges have been assigned. Requirement 8 is then going to be about authentication. Specific to this particular requirement, PCI Requirement 7.2.2, we want to make sure that only the necessary privileges have been assigned and that those systems are capable of supporting those privileges that you’ve defined within your organization.

Access Control Systems on All System Components

PCI Requirement 7.2.1 requires that your organization’s access control systems include coverage of all system components. Access control systems are incredibly important because they protect your organization from unknowingly granting access to the cardholder data environment to an unauthorized user. Implementing PCI Requirement 7.2.1 ensures that your entire system is protecting the cardholder data environment and supporting role based access controls.

During a PCI assessment, your system settings and relevant documentation will be examined to verify that your access control systems are in place on all system components.

When developing and/or purchasing systems, we need to make sure that all applications that you have – whether it be an operating system, database, regardless of what it is – and the entire environment is capable of supporting role based access controls.

Why Establish an Access Control System?

PCI Requirement 7.2 states, “Establish an access control system for system components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.” This access control system must include the following three sub-requirements of PCI Requirement 7.2:

  • 7.2.1: Coverage of all system components
  • 7.2.2: Assignment of privileges to individuals based on job classification and function
  • 7.2.3: Default “deny-all” setting

Without a mechanism to restrict access based on business need to know, a user may unknowingly be granted access to the cardholder data environment. This is where the access control system comes into play. Access control systems help your organization automate the process of restricting access and assigning privileges. Some access control systems are set to a default “allow-all” setting, but PCI Requirement 7.2 requires that yours is set to a default “deny-all” setting. This ensures no one is granted access unless a rule is established that specifically grants access.

During the assessment, your system settings and relevant documentation will be examined to verify that your access control system incorporates and implements all elements of the PCI Requirement 7.2 sub-requirements.

It’s not just enough that we have established role based access controls from a paperwork perspective and said that Johnny, Suzie, Betty, Tommy need access – that’s all great, but the systems that we implement need to be able to support those permissions that we’re looking to carry out through our role based access controls. Specific to PCI Requirement 7.2, we need to make sure that the systems we use or put in-house are capable of supporting that. One of the recommendations that I would have for you as part of your RFP process, when you’re looking for a new application, or bidding out processes for development, you need to make sure that you’re cognizant of the permissions that your application is going to need to support, and that the authentication mechanisms that you have in place are capable of supporting role based access controls that you’ve defined within your organization.

Management Approval

PCI Requirement 7.1.4 states, “Require documented approval by authorized parties by specifying required privileges.” The PCI DSS explains that the purpose of documented approval, in writing or electronic, is to assure that those with access and privileges are known and authorized by management, and that their access is necessary for their job function.

PCI Requirement 7.1.4 requires that your organization retain some type of artifact that states who asked for access, if it is necessary for their job function, and if management approved this access. Before your PCI assessment, we recommend that you examine anyone with elevated privilege or access into the cardholder data environment and ensure there is management approval for that access. During the assessment, an assessor will take a sample of user IDs and the documentation which should verify that access was approved by management and the access matches their job responsibility requirements.

From a security perspective, we have this principle of data security owner and data security custodian. Typically, the owner is the management of the organization and the custodian is the IT department. We expect somebody to approve the request for access into an environment. If Betty, Tommy, or Suzie needs access to a particular asset within your organization, somebody needs to be approving that and we expect that there’s some type of artifact that you’re going to retain that says that access was asked for Tommy to be given privileges to this particular environment, and that somebody from management has approved that.

One of the things that we find from time to time is we encounter a particular staff member who pre-dates PCI DSS. What I would ask you to do is go through all of your privileged staff or those who’ve been given escalated privileges or access into the cardholder data environment, and make sure that there’s some type of management approval for those individuals to have access. From an assessment perspective, we’re going to ask for a copy of those particular request forms. Typically, we get a sample of new hire request forms, and then take that back and we look at the access privileges that actually have been assigned. Whatever has been assigned and approved based on management’s request should only be the permissions that have actually been assigned in the production environment.

Make sure you have some type of artifact where management has approved everybody’s access into the cardholder data environment or where those individuals might have privileged access.

What is PCI Requirement 7.1.3?

PCI Requirement 7.1.3 states, “Assign access based on individual personnel’s job classification and function.” Because access needs have been defined for user roles in PCI Requirement 7.1.1, it is easy to take the next step in PCI Requirement 7.1.3 and grant individuals access according to their job classification and function by using the already-created roles.

During the assessment, an assessor will, once again, get a list of all the roles, a list which individuals are in those roles, find out what permissions these particular roles need, and ensure that you are only assigning the necessary privileges to each role.

When you hire somebody within your organization, you’ve obviously hired them to perform a specific task or to fill a specific role. Requirement 7.1.3 requires that you only assign those necessary privileges based on their individual role. Once again, from an assessment perspective, we’re going to be working with your HR, get a list of all the roles, get a list of who those individuals are, talk to the management staff and find out what permissions these particular roles need, and make sure that for a role, you’re only assigning the necessary privileges to that role.