PCI Requirement 7.1.4 states, “Require documented approval by authorized parties by specifying required privileges.” The PCI DSS explains that the purpose of documented approval, in writing or electronic, is to assure that those with access and privileges are known and authorized by management, and that their access is necessary for their job function.
PCI Requirement 7.1.4 requires that your organization retain some type of artifact that states who asked for access, if it is necessary for their job function, and if management approved this access. Before your PCI assessment, we recommend that you examine anyone with elevated privilege or access into the cardholder data environment and ensure there is management approval for that access. During the assessment, an assessor will take a sample of user IDs and the documentation which should verify that access was approved by management and the access matches their job responsibility requirements.
From a security perspective, we have this principle of data security owner and data security custodian. Typically, the owner is the management of the organization and the custodian is the IT department. We expect somebody to approve the request for access into an environment. If Betty, Tommy, or Suzie needs access to a particular asset within your organization, somebody needs to be approving that and we expect that there’s some type of artifact that you’re going to retain that says that access was asked for Tommy to be given privileges to this particular environment, and that somebody from management has approved that.
One of the things that we find from time to time is we encounter a particular staff member who pre-dates PCI DSS. What I would ask you to do is go through all of your privileged staff or those who’ve been given escalated privileges or access into the cardholder data environment, and make sure that there’s some type of management approval for those individuals to have access. From an assessment perspective, we’re going to ask for a copy of those particular request forms. Typically, we get a sample of new hire request forms, and then take that back and we look at the access privileges that actually have been assigned. Whatever has been assigned and approved based on management’s request should only be the permissions that have actually been assigned in the production environment.
Make sure you have some type of artifact where management has approved everybody’s access into the cardholder data environment or where those individuals might have privileged access.