PCI Readiness Series: PCI Requirement 7
What is PCI Requirement 7?
In this webinar, our PCI expert spotlights PCI Requirement 7, which states, “Restrict access to cardholder data by business need-to-know.” This requirement is focuses on authorization and establishing a program of least privileges. PCI Requirement 7 supports the implementation of many of the controls in PCI Requirement 8.
In this webinar, we’ll discuss several elements of creating a strong access control system, such as maintaining a list that identifies asset owners and users with privileged access, enforcing restrictions that cover all systems, and roles such as call center agencies, network administration, accounting, and front of house/back of house, which may be in scope of a PCI assessment. Our expert panelist will also discuss the following sub-requirements of PCI Requirement 7:
Requirement 7.1 – Limit access to system components and cardholder data to only those individuals who job requires such access.
Your organization needs to maintain a list that identifies asset owners and individuals with privileged access. This list should minimize potential risk by removing any unnecessary access.
Requirement 7.2 – Establish an access control system for system component that restrict access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
Requirement 7.3 – Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.Maintaining effective, actively use policies and procedures is a large part of implementing access control measures. These documents need to define the access required for each role and privileges necessary for each role. They also need to define how access is restricted based on least privileges necessary for the individual job and function. A formal approval process must also be outlined within your policies and procedures. It’s important that these documents are actually usable to your employees and are effectively communicated to all relevant individuals.