NL +31 (0)20 4232420 / SP +34 937 379 542

This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Now we speak about:


Requirement 7 of PCI DSS: Restrict access to cardholder data


Requirement 7 of PCI DSS focuses on restricting the access to the systems and cardholder data only to authorized personnel based on their roles and their job functions, thus avoiding the mishandling of the same, either due to clumsiness or malice.
The main challenges and steps that must be considered are:

  1. Define access needs
    It is most important to define the access needs and the privilege assignments for each role. Then, implement the access restriction based on individual personnel’s job classification and function on all systems and applications in the PCI DSS environment.
  2. Document authorised users and monitor this
    Document in a form the list of specific privileges authorised for each user ID based on its role and utilise the same type of form to logging each subsequent privilege change.
  3. Implement an access control system
    For all systems in the CDE, implement an access control system to restrict access according to the user’s needs and which denies access that is not specifically allowed.

We recommend implementing some of the known centralized access technologies to guarantee the access restriction to all the systems based on roles, this will be helpful for access management.

Need help with PCI DSS implementation? Our QSAs can help out.

Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data  
PCI DSS requirement 4: Encryption  
PCI DSS requirement 5: Update and Scan 
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD 
PCI DSS requirement 8: Identify, Authenticate, and Authorize  
PCI DSS requirement 9: Restrict physical access to Cardholder data 
PCI DSS requirement 10: Track and monitor all access to network resources and cardholder data