PCI Requirement 7.1.2 – Restrict Access to Privileged User IDs to Least Privileges Necessary
What is PCI Requirement 7.1.2?
Within your organization, you will obviously have personnel who require an elevated level of privilege. You will have some personnel with more responsibility than others, but you still need to limit the ability for someone to impact the security of the cardholder data environment. PCI Requirement 7.1.2 requires you to limit access to privileged user IDs to personnel who truly require it for the function of their job. PCI Requirement 7.1.2 states, “Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.” The PCI DSS explains, “When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator.”
During the assessment, assessors will be looking for an explanation of why these roles or individuals have an elevated level of privilege. Assessors will also interview the personnel responsible for assigning access to determine if access to privileged user IDs is given only to those who specifically require such access and if access is restricted to least privileges necessary.
Within your organization, you’re going to have people, obviously, that are going to be responsible or have an elevated level of privilege. This might be everyone from the systems administration staff to your call center managers. For any of those accounts that would have the ability to impact somebody else’s experience or perhaps impact the security of the cardholder data environment in any way, or really all of those administrative accounts, we want to limit those accounts to only those individuals who truly require that.
From an assessment perspective, we’re going to talk to management staff and get a list of what those accounts are and look at any privileges that have been assigned to those roles. If those roles need that privilege, that’s fine. Basically, we’re looking for an accounting of why these roles or individuals would have access to those particular accounts.