PCI Requirement 7.1.3 – Assign Access Based on Individual Personnel’s Job Classification and Function

by Randy Bartels / November 28th, 2017

What is PCI Requirement 7.1.3?

PCI Requirement 7.1.3 states, “Assign access based on individual personnel’s job classification and function.” Because access needs have been defined for user roles in PCI Requirement 7.1.1, it is easy to take the next step in PCI Requirement 7.1.3 and grant individuals access according to their job classification and function by using the already-created roles.

During the assessment, an assessor will, once again, get a list of all the roles, a list which individuals are in those roles, find out what permissions these particular roles need, and ensure that you are only assigning the necessary privileges to each role.

When you hire somebody within your organization, you’ve obviously hired them to perform a specific task or to fill a specific role. Requirement 7.1.3 requires that you only assign those necessary privileges based on their individual role. Once again, from an assessment perspective, we’re going to be working with your HR, get a list of all the roles, get a list of who those individuals are, talk to the management staff and find out what permissions these particular roles need, and make sure that for a role, you’re only assigning the necessary privileges to that role.