Someone to Monitor and Control All Access to Data
PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it? Without someone formally responsible for monitoring and giving access to cardholder data, that data does not have the protection it needs.
Throughout the PCI DSS, it talks about key management, data custodians, and giving access based on a business’ need to know; these topics all factor into PCI Requirement 12.5.5. This role might not be the data owner, but if someone who ensures that the access given is appropriate, that technical safeguards are in place, and that if suspicious activity arises, it’s monitored and analyzed. Without someone assigned to this role, gaps in processes will open access into critical resources or cardholder data.
We get to PCI Requirement 12.5.5, and we need to have somebody that’s formally responsible for monitoring the access to cardholder data. What this comes down to is the concept of the data security owner and the data security custodian. In this case, somebody needs to be responsible for managing who’s had access to the data and making sure that that access is appropriate.