PCI Requirement 7.2.3 – Default “Deny-All” Setting

by Randy Bartels / November 28th, 2017

What is a Default “Deny-All” Setting?

PCI Requirement 7.2.3 requires that your organization’s access control systems are set to a default “deny-all” setting, which means that no one is granted access, unless it’s explicitly assigned to someone. Some access control systems are set to a default “allow-all” setting, but PCI Requirement 7.2.3 requires yours is set to a default “deny-all” setting. This ensures no one is granted access unless a rule or authorization is established that specifically grants access, rather than permitting access unless a rule is written to specifically deny access.

A default “deny-all” setting is the starting point of authorization for access control systems. Access control systems are vital to the security of your cardholder data environment because they help automate the process of restricting access and assigning privileges. Without PCI compliance access control systems, your organization could unknowingly grant access to the cardholder data environment to an unauthorized user.

During a PCI assessment, your system settings and relevant documentation will be examined to verify that your access control systems have a default “deny-all” setting in place.

When you implement an application, whether it be an application that you develop within your environment or an application that you purchase, you want to make sure that the starting point for authorization, from the application perspective, is at default “deny-all” setting, meaning that there should be no permissions granted to any individuals, unless it’s been explicitly assigned to somebody.  The reverse of that is everybody has permission and you take away stuff that they shouldn’t have.

Once again, the applications that you implement need to be able to support default “deny-all” settings.