PCI Requirement 7.1.4 – Require Documented Approval by Authorized Parties

by Randy Bartels / December 19, 2022

Management Approval PCI Requirement 7.1.4 states, “Require documented approval by authorized parties by specifying required privileges.” The PCI DSS explains that the purpose of documented approval, in writing or electronic, is to assure that those with access and privileges are known and authorized by management, and that their access is necessary for their job function. PCI Requirement 7.1.4 requires that your organization retain some type of artifact that states who…

PCI Requirement 7.1.3 – Assign Access Based on Individual Personnel’s Job Classification and Function

by Randy Bartels / December 19, 2022

What is PCI Requirement 7.1.3? PCI Requirement 7.1.3 states, “Assign access based on individual personnel’s job classification and function.” Because access needs have been defined for user roles in PCI Requirement 7.1.1, it is easy to take the next step in PCI Requirement 7.1.3 and grant individuals access according to their job classification and function by using the already-created roles. During the assessment, an assessor will, once again, get a…

PCI Requirement 7.1.2 – Restrict Access to Privileged User IDs to Least Privileges Necessary

by Randy Bartels / December 19, 2022

What is PCI Requirement 7.1.2? Within your organization, you will obviously have personnel who require an elevated level of privilege. You will have some personnel with more responsibility than others, but you still need to limit the ability for someone to impact the security of the cardholder data environment. PCI Requirement 7.1.2 requires you to limit access to privileged user IDs to personnel who truly require it for the function…

PCI Requirement 7.1.1 – Define Access Needs for Each Role

by Randy Bartels / December 19, 2022

How to Define Access Needs for Each Role PCI Requirement 7.1.1 outlines the first step in the process of establishing role-based access controls. PCI Requirement 7.1.1 states, “Define access needs for each role, including: system components and data resources that each role needs to access for their job function, and level of privilege required for accessing resources.” The PCI DSS states, “In order to limit access to cardholder data to…

PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data

by Randy Bartels / December 19, 2022

Why Limit Access to System Components and Cardholder Data? We’ve discussed least privileges before (See PCI Requirements 2.2.2 and 3.1) and the concept of, “If you don’t need it, get rid of it.” PCI Requirement 7.1 also follows this idea. PCI Requirement 7.1 states, “Limit access to system components and cardholder data to only those individuals whose job requires such access.” If someone’s job needs access to function, grant it.…