PCI Requirement 7.1 – Limit Access to System Components and Cardholder Data

by Randy Bartels / November 28th, 2017

Why Limit Access to System Components and Cardholder Data?

We’ve discussed least privileges before (See PCI Requirements 2.2.2 and 3.1) and the concept of, “If you don’t need it, get rid of it.” PCI Requirement 7.1 also follows this idea. PCI Requirement 7.1 states, “Limit access to system components and cardholder data to only those individuals whose job requires such access.” If someone’s job needs access to function, grant it. But if they can function without it? Deny access.

So, why should your organization limit access to system components and cardholder data?  The PCI DSS states, “The more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice.” Implementing PCI Requirement 7.1 within your organization further protects cardholder data.

During a PCI assessment, an assessor will ask for a list of all job roles within your organization and the responsibilities that fall under each job. An assessor will question which data each job has access to, and why this data is essential to their job. Your organization’s policies and procedures will also be examined to determine compliance with PCI Requirement 7.1. Policies and procedures for access control should incorporate the four sub-requirements of PCI Requirement 7.1, which include:

  • 7.1.1 – Define access needs for each role, including: system components and data resources that each role needs to access for their job function, and level of privilege required for accessing resources.
  • 7.1.2 – Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
  • 7.1.3 – Assign access based on individual personnel’s job classification and function.
  • 7.1.4 – Require documented approval by authorized parties specifying required privileges.

Once again, the PCI DSS calls out least privileges. If you don’t need it, get rid of it. The other side of that is where you do need access, it’s absolutely appropriate to give individuals access. PCI Requirement 7.1 says that we limit the access into the environment to that which is necessary for a job to function. As part of this requirement, we’re going to be asking for a list of all of your roles and their responsibilities. We’re then going to ask, “What is the data that they’re going to be viewing as part of their roles?” We’re going to speak to management staff and ask management, “Why does Johnny, Betty, Suzie, or Tommy actually need to view this data?” If it’s part of their job and they absolutely need it, there’s nothing wrong with that. Let’s give them the access, but we need to make sure it’s secure. However, where there are individuals within your organization that don’t truly need to view cardholder data or have access to it, we expect that cardholder data access has been removed.