PCI DSS Requirement 7: Restrict Cardholder Data Access

PCI DSS Requirement 7: Restrict Cardholder Data Access

Assigning permissions carefully is one means of protecting sensitive account data by providing the minimum level of access necessary to perform an employee’s job.

Requirement 7 details the means of securing data by keeping those who have access to “need-to-know” rights - which refers to only providing personnel the least amount of data needed to perform a job.

Requirement 7 Details and Sections

Requirement 7 contains three sections that detail the means of securing account data by carefully assigning user permissions and access controls.

  • Requirement 7.1: Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.

  • Requirement 7.2: Access to system components and data is appropriately defined and assigned.

  • Requirement 7.3: Access to system components and data is managed via access control systems.

Requirement 7.1: Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.

Like other requirements found in PCI DSS 4.0, the first section of the requirement - 7.1 - explains the importance of creating and maintaining policies for adherence. These processes must be consistently monitored and updated whenever required, and all involved personnel must understand their responsibilities.

Detailed requirement sections include:

  • Requirement 7.1.1: All security policies and operational procedures that are identified in Requirement 7 are documented, up-to-date, in use, and known to all impacted parties.

  • Requirement 7.1.2: Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.

Requirement 7.2: Access to system components and data is appropriately defined and assigned.

Section 7.2 outlines, with some specificity, the proper means of administering access to those who need it. In most instances, the lowest level of access should be the default permission set, with administrator accounts being carefully guarded and assigned only when absolutely necessary.

Detailed requirement sections include:

  • Requirement 7.2.1: An access control model is defined and includes granting access as follows:

    • Appropriate access depending on the entity’s business and access needs.

    • Access to system components and data resources is based on users’ job classification and functions.

    • The least privileges required to perform a job function.

  • Requirement 7.2.2: Access is assigned to users based on job classification and function, and the least privileges necessary to perform job responsibilities.

  • Requirement 7.2.3: Required privileges are approved by authorized personnel.

  • Requirement 7.2.4: All user accounts and related access privileges, including third-party/vendor accounts, are reviewed at least once every six months as follows:

    • To ensure user accounts and access are appropriate based on job function.

    • Any inappropriate access is addressed.

    • Management confirms this access level is appropriate.

  • Requirement 7.2.5: All system accounts and access privileges are assigned and managed as follows:

    • Based on the least privileges necessary for the operability of the system or application.

    • Access is limited to the systems, applications, or processes that specifically require their use.

  • Requirement 7.2.6: All user access to query repositories of stored cardholder data is restricted as follows:

    • Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.

    • Only the responsible administrator(s) can directly access or query repositories of stored cardholder data.

Requirement 7.3: Access to system components and data is managed via access control systems.

Access control systems can automate the process of restricting access and assigning privileges, and this reduces the chance of errors or improper access. Setting the default access to “deny all” can also ensure that nobody will receive access until explicitly granted.

Detailed requirement sections include:

  • Requirement 7.3.1: Access control systems are in place that restrict access based on a user’s need to know and cover all system components.

  • Requirement 7.3.2: The access control systems enforce permissions assigned to individuals, applications, and systems based on job classification and function.

  • Requirement 7.3.3: The access control systems are set to “deny all” by default.

Don't miss out on my deep insights! Subscribe to my newsletter for regular updates on PCI DSS and stay informed about the latest trends and best practices.