Requirement A.1.1
Ensure that each entity only runs processes that have access to that entity’s cardholder data environment.
Testing Procedure
A.1.1.a
If a shared hosting provider allows entities (for example, merchants or service providers) to run their own applications, verify these application processes run using the unique ID of the entity. For example:
- No entity on the system can use a shared web server user ID.
- All CGI scripts used by an entity must be created and run as the entity’s unique user ID.
Guidance
If a merchant or service provider is allowed to run their own applications on the shared server, these should run with the user ID of the merchant or service provider, rather than as a privileged user.