Protecting Cardholder Data

PCI Requirement 7 focuses on establishing access into your organization’s cardholder data environment through the lens of business need to know. PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. There’s nothing wrong with granting someone access to the CDE and the PCI DSS does not define which personnel should receive access. If access is required for a job, grant it. The PCI DSS, though, does define “need to know” as, “…when access rights are granted to only the least amount of data and privileges needed to perform a job.”

In this set of PCI Requirement 7 videos, we will discuss the systems and processes that must be in place to limit access based on business need to know. We will cover the following PCI Requirement 7 sub-requirements:

  • 7.1 – Limit access to system components and cardholder data to only those individuals whose job requires such access.
  • 7.1.1 – Define access needs for each role, including system components, data resources, and level of privilege.
  • 7.1.2 – Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
  • 7.1.3 – Assign access based on individual personnel’s job classification and function.
  • 7.1.4 – Require documented approval by authorized parties specifying required privileges.
  • 7.2 – Establish access control that covers all system components.
  • 7.2.1 – Establish access control that covers all system components.
  • 7.2.2 – Establish access control to assignment of privileges to individuals based on job classification and function.
  • 7.2.3 – Employ default “deny-all” setting.
  • 7.3 – Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.

When we look at PCI Requirement 7, it is focused on establishing access into your environment based on a business need to know. If somebody needs access to data, there’s no problem with giving that. There’s nothing that prohibits you from defining who gets what access. What’s required of this particular requirement is that you define role-based access controls and you establish the access into your environment based purely on business need to know.