PCI Requirement 8.7 requires that you restrict all access to any database containing cardholder data and access is restricted as follows:
- All user access to, user queries of, and user actions on databases are through programmatic methods.
- Only database administrators have the ability to directly access or query databases.
- Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).
PCI Requirement 8.7’s intent is to ensure that only database administrators have the ability to access or query databases. Additionally, user authentication brings accountability to those accessing databases. The PCI DSS further explains, “Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only, rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties).”
To verify that you restrict all access to any database containing cardholder data, an assessor will review database and application configuration and control settings.
If you have databases within your environment and these databases are connecting to applications, or applications are connecting to databases to query information, we must ensure that the username and password that the databases use can never be used by individuals. As we talked about before, individuals should have their own usernames and passwords that they use to access your environment.
Specific to PCI Requirement 8.7, only applications can be used in application accounts for accessing these databases. We want to be sure that only database administrators have the ability to run a direct query. We also want to make sure that your databases authenticate users before they’re able to run any type of query.
Lastly, from an assessment perspective, we’re going to look at what accounts are actually being used and how they’re being used. Chances are, your assessors are going to want to dig through your log servers to see when these accounts are being used. We’re also going to look to see if you’ve had any interactive log-in with the types of accounts that are associated with the application.
Once again, the application IDs that are associated with connecting to the database should never be used to authenticate into the database to run queries.