PCI Requirement 7 Archives

Documentation for Restricting Access to Cardholder Data

PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. For this requirement, we’ve discussed access control systems, how to define access needs, limiting privileges based on business need to know, and how to further protect your cardholder data environment. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 7.3.

PCI Requirement 7.3 states, “Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be implementing what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are. If PCI Requirement 7.3 is not met, your systems could be left vulnerable.

Finally, we come to the last requirement within PCI Requirement 7, the capstone, as we’ve been calling it. This requirement, once again, requires that you have policies, procedures, and standards around maintaining user authorization within your environment. It covers the role-based access controls. From an assessment perspective, your assessor should be looking at the policies, looking at the procedures, interviewing staff, and making sure that whatever you’ve documented from a policies and procedures standpoint has been implemented within your environment.

What is a Default “Deny-All” Setting?

PCI Requirement 7.2.3 requires that your organization’s access control systems are set to a default “deny-all” setting, which means that no one is granted access, unless it’s explicitly assigned to someone. Some access control systems are set to a default “allow-all” setting, but PCI Requirement 7.2.3 requires yours is set to a default “deny-all” setting. This ensures no one is granted access unless a rule or authorization is established that specifically grants access, rather than permitting access unless a rule is written to specifically deny access.

A default “deny-all” setting is the starting point of authorization for access control systems. Access control systems are vital to the security of your cardholder data environment because they help automate the process of restricting access and assigning privileges. Without PCI compliance access control systems, your organization could unknowingly grant access to the cardholder data environment to an unauthorized user.

During a PCI assessment, your system settings and relevant documentation will be examined to verify that your access control systems have a default “deny-all” setting in place.

When you implement an application, whether it be an application that you develop within your environment or an application that you purchase, you want to make sure that the starting point for authorization, from the application perspective, is at default “deny-all” setting, meaning that there should be no permissions granted to any individuals, unless it’s been explicitly assigned to somebody. The reverse of that is everybody has permission and you take away stuff that they shouldn’t have.

Once again, the applications that you implement need to be able to support default “deny-all” settings.

What is PCI Requirement 7.2.2?

We’ve discussed least privileges and business need to know a lot during PCI Requirement 7, and PCI Requirement 7.2.2 is no different. PCI Requirement 7.2.2 requires that your organization’s access control systems assign privileges based on job classification and function. If a job doesn’t require certain access to function, there’s no need to grant that access.

Access control systems help protect your organization from unknowingly granting access to the cardholder data environment to an unauthorized user. Access control systems and implementing PCI Requirement 7.2.2 help your organization automate the process of restricting access and assigning privileges based on job function and function.

During a PCI assessment, your system settings and relevant documentation will be examined to verify that your access control systems are configured to enforce privileges assigned to individuals based on job classification and function.

PCI Requirement 7.2.2 is about assigning these privileges that we’ve been talking about for role based access controls. Later on in the assessment, in Requirement 8, assessors are going to be getting copies of these user request forms and artifacts, either electronic or physical, and then testing the systems and making sure that whatever permissions you’ve assigned to these individuals is actually what’s been assigned. Requirement 7 is about role based access controls and making sure that only the necessary privileges have been assigned. Requirement 8 is then going to be about authentication. Specific to this particular requirement, PCI Requirement 7.2.2, we want to make sure that only the necessary privileges have been assigned and that those systems are capable of supporting those privileges that you’ve defined within your organization.

Access Control Systems on All System Components

PCI Requirement 7.2.1 requires that your organization’s access control systems include coverage of all system components. Access control systems are incredibly important because they protect your organization from unknowingly granting access to the cardholder data environment to an unauthorized user. Implementing PCI Requirement 7.2.1 ensures that your entire system is protecting the cardholder data environment and supporting role based access controls.

During a PCI assessment, your system settings and relevant documentation will be examined to verify that your access control systems are in place on all system components.

When developing and/or purchasing systems, we need to make sure that all applications that you have – whether it be an operating system, database, regardless of what it is – and the entire environment is capable of supporting role based access controls.

Why Establish an Access Control System?

PCI Requirement 7.2 states, “Establish an access control system for system components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.” This access control system must include the following three sub-requirements of PCI Requirement 7.2:

7.2.1: Coverage of all system components
7.2.2: Assignment of privileges to individuals based on job classification and function
7.2.3: Default “deny-all” setting

Without a mechanism to restrict access based on business need to know, a user may unknowingly be granted access to the cardholder data environment. This is where the access control system comes into play. Access control systems help your organization automate the process of restricting access and assigning privileges. Some access control systems are set to a default “allow-all” setting, but PCI Requirement 7.2 requires that yours is set to a default “deny-all” setting. This ensures no one is granted access unless a rule is established that specifically grants access.

During the assessment, your system settings and relevant documentation will be examined to verify that your access control system incorporates and implements all elements of the PCI Requirement 7.2 sub-requirements.

It’s not just enough that we have established role based access controls from a paperwork perspective and said that Johnny, Suzie, Betty, Tommy need access – that’s all great, but the systems that we implement need to be able to support those permissions that we’re looking to carry out through our role based access controls. Specific to PCI Requirement 7.2, we need to make sure that the systems we use or put in-house are capable of supporting that. One of the recommendations that I would have for you as part of your RFP process, when you’re looking for a new application, or bidding out processes for development, you need to make sure that you’re cognizant of the permissions that your application is going to need to support, and that the authentication mechanisms that you have in place are capable of supporting role based access controls that you’ve defined within your organization.