How to Define Access Needs for Each Role
PCI Requirement 7.1.1 outlines the first step in the process of establishing role-based access controls. PCI Requirement 7.1.1 states, “Define access needs for each role, including: system components and data resources that each role needs to access for their job function, and level of privilege required for accessing resources.”
The PCI DSS states, “In order to limit access to cardholder data to only those individuals who need such access, first it is necessary to define access needs for each role (for example, system administrator, call center personnel, store clerk), the systems/devices/data each role needs access to, and the level of privilege each role needs to effectively perform assigned tasks. Once roles and corresponding access needs are defined, individuals can be granted access accordingly.” An assessor will expect that you define access needs for each role within your environment, then define the specific permissions that each individual needs. Then, an assessor will examine a sample of jobs/roles and their access control needs.
PCI Requirement 7 also talks about establishing role-based access controls. It’s expected that you define the roles within your environment and then define the specific permissions that each individual needs. Then, an assessor will find all places where individuals would have access and look at those systems to make sure that those systems have the capability of supporting the roles that you’ve defined within your organization.