PCI DSS Requirement 7: Restrict access to cardholder data based on business requirements
Important data should be accessible only by authorized personnel. For this, systems and processes must be to limit access according to their merits and business responsibilities.
The term “need to know” can be explained by granting access rights only to the minimum amount of data and privileges required to perform a job.
The requirement for PCI DSS 7 is primarily about controlling all access to cardholder data and granting access privileges only to those who “need to know” due to their business needs.
PCI DSS Requirement 7.1: Limit access to system components and cardholder data only to people who require this access.
The more people the cardholder has access to their data, the greater the risk that a user account will be misused. Limiting access to legitimate business needs helps an organization prevent misuse of cardholder data through inexperience or intent.
A written policy for access control should be established, which should include:
- Access needs and privileges for each role must be defined.
- Access to privileged user IDs must be limited to the minimum privileges necessary to fulfill the job’s duties.
- Access should be allocated according to the job classification and the function of individual staff.
- All accesses, including a list of approved privileges, must be approved by authorized parties electronically or in writing.
PCI DSS Requirement 7.1.1: Define access requirements for each role
To limit access to cardholder data to those who need it, it is first necessary to define each role’s access requirements for all relevant system components. It is also required to determine the access needs of the privilege level that each role effectively needs to carry out assigned tasks.
Once the roles and their corresponding access needs have been defined, people can be granted access accordingly.
Also, the access needs for roles should be defined so that the following features are taken into account:
- System components and data sources that each role must access for business needs
- The level of privilege required to access resources (user, administrator, etc.)
Identifying roles within an organization is the first step towards ensuring that only those with business needs can access sensitive systems or data. Once roles have been determined, the organization can evaluate the level of privilege required and limit access accordingly.
PCI DSS Requirement 7.1.2: Restrict access to privileged user IDs to the minimum privileges required to fulfill job responsibilities.
When assigning privileged identities, it is essential to assign to individuals only the minimum privileges (“least privileges”) needed to perform their business. For example, the database administrator or the backup manager should not have the same rights as the general system administrator.
Assigning minimal privileges helps prevent users who do not have enough information about the application from incorrectly or accidentally changing the application’s configuration or changing the security settings.
It also helps minimize damage coverage by applying the least privilege if an unauthorized user accesses an authorized user ID.
PCI DSS Requirement 7.1.3: Assign access to staff based on job classification and function.
Once the requirements for user roles have been defined, it will be more comfortable and more manageable to give staff access to job classifications and functions using pre-created roles.
The implementation of access control is not limited to an application layer or any unique authorization solution. For example, technologies such as directory services (such as Active Directory or LDAP), Access Control Lists (ACLs), and TACACS are feasible solutions as long as they are correctly configured to enforce the principles of least privilege.
PCI DSS Requirement 7.1.4: Request documented approval from the competent parties that indicate the required privileges.
Written or electronically documented approvals ensure that those with access and privileges are known and empowered by management. It also states that access is necessary for business functions.
- Documented approvals must be available for assigned privileges.
- Authorized parties must do approval.
- Specified privileges must match the roles assigned to the person.
In the absence of a mechanism restricting access based on what the user should know, unauthorized access to cardholder data may be granted to the user.
Access control systems automate access limitation and privilege assignments. Besides, the default “deny all” rule ensures that no one is granted access until a rule that specifically provides this type of access is created.
Organizations can have one or more access control systems to manage user access.
Access control systems should include:
- Scope of all system components
- Giving privileges to individuals according to job classification and function
- “Deny all” rule by default.
PCI DSS Requirement 7.3: Ensure that security policies and operational procedures to restrict access to cardholder data are documented, in use, and known to all affected parties.
Staff needs to know and follow security policies and operational procedures to ensure that access is continuously monitored and based on the minimum privileges required.
For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library. To review all of the PCI DSS Requirements, you can review our PCI DSS Requirements and PCI Compliance articles.