Documentation for Restricting Access to Cardholder Data
PCI Requirement 7 states, âRestrict access to cardholder data by business need to know.â Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. For this requirement, weâve discussed access control systems, how to define access needs, limiting privileges based on business need to know, and how to further protect your cardholder data environment. But, as weâve learned, itâs not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 7.3.
PCI Requirement 7.3 states, âEnsure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.â This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be implementing what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are. If PCI Requirement 7.3 is not met, your systems could be left vulnerable.
Finally, we come to the last requirement within PCI Requirement 7, the capstone, as weâve been calling it. This requirement, once again, requires that you have policies, procedures, and standards around maintaining user authorization within your environment. It covers the role-based access controls. From an assessment perspective, your assessor should be looking at the policies, looking at the procedures, interviewing staff, and making sure that whatever youâve documented from a policies and procedures standpoint has been implemented within your environment.