PCI Requirement 7.2 – Establish an Access Control System

by Randy Bartels / November 28th, 2017

Why Establish an Access Control System?

PCI Requirement 7.2 states, “Establish an access control system for system components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.” This access control system must include the following three sub-requirements of PCI Requirement 7.2:

  • 7.2.1: Coverage of all system components
  • 7.2.2: Assignment of privileges to individuals based on job classification and function
  • 7.2.3: Default “deny-all” setting

Without a mechanism to restrict access based on business need to know, a user may unknowingly be granted access to the cardholder data environment. This is where the access control system comes into play. Access control systems help your organization automate the process of restricting access and assigning privileges. Some access control systems are set to a default “allow-all” setting, but PCI Requirement 7.2 requires that yours is set to a default “deny-all” setting. This ensures no one is granted access unless a rule is established that specifically grants access.

During the assessment, your system settings and relevant documentation will be examined to verify that your access control system incorporates and implements all elements of the PCI Requirement 7.2 sub-requirements.

It’s not just enough that we have established role based access controls from a paperwork perspective and said that Johnny, Suzie, Betty, Tommy need access – that’s all great, but the systems that we implement need to be able to support those permissions that we’re looking to carry out through our role based access controls. Specific to PCI Requirement 7.2, we need to make sure that the systems we use or put in-house are capable of supporting that. One of the recommendations that I would have for you as part of your RFP process, when you’re looking for a new application, or bidding out processes for development, you need to make sure that you’re cognizant of the permissions that your application is going to need to support, and that the authentication mechanisms that you have in place are capable of supporting role based access controls that you’ve defined within your organization.