This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Now we speak about:

 

Requirement 7 of PCI DSS: Restrict access to cardholder data

 

Requirement 7 of PCI DSS focuses on restricting the access to the systems and cardholder data only to authorized personnel based on their roles and their job functions, thus avoiding the mishandling of the same, either due to clumsiness or malice.
The main challenges and steps that must be considered are:

  1. Define access needs
    It is most important to define the access needs and the privilege assignments for each role. Then, implement the access restriction based on individual personnel’s job classification and function on all systems and applications in the PCI DSS environment.
  2. Document authorised users and monitor this
    Document in a form the list of specific privileges authorised for each user ID based on its role and utilise the same type of form to logging each subsequent privilege change.
  3. Implement an access control system
    For all systems in the CDE, implement an access control system to restrict access according to the user’s needs and which denies access that is not specifically allowed.

We recommend implementing some of the known centralized access technologies to guarantee the access restriction to all the systems based on roles, this will be helpful for access management.

Read more about requirement 6 of PCI DSS

Our QSAs are ready to assist in any way with your roadmap towards PCI DSS compliance