PCI Requirement 7.3 – Ensure Policies and Procedures for Restricting Access to Cardholder Data are Documented, in Use, and Known to all Affected Parties

by Randy Bartels / November 28th, 2017

Documentation for Restricting Access to Cardholder Data

PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. For this requirement, we’ve discussed access control systems, how to define access needs, limiting privileges based on business need to know, and how to further protect your cardholder data environment. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 7.3.

PCI Requirement 7.3 states, “Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be implementing what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are. If PCI Requirement 7.3 is not met, your systems could be left vulnerable.

Finally, we come to the last requirement within PCI Requirement 7, the capstone, as we’ve been calling it. This requirement, once again, requires that you have policies, procedures, and standards around maintaining user authorization within your environment. It covers the role-based access controls. From an assessment perspective, your assessor should be looking at the policies, looking at the procedures, interviewing staff, and making sure that whatever you’ve documented from a policies and procedures standpoint has been implemented within your environment.