Requirement A.1.2
Restrict each entity’s access and privileges to its own cardholder data environment only.
Testing Procedure
A.1.2.a
Verify the user ID of any application process is not a privileged user (root/admin).
A.1.2.b
Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.)
Important: An entity’s files may not be shared by group.
A.1.2.c
Verify that an entity’s users do not have write access to shared system binaries.
A.1.2.d
Verify that viewing of log entries is restricted to the owning entity.
A.1.2.e
To ensure each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions resulting in, for example, buffer overflows), verify restrictions are in place for the use of these system resources:
- Disk space
- Bandwidth
- Memory
- CPU
Guidance
Logs should be available in a shared hosting environment so the merchants and service providers have access to, and can review, logs specific to their cardholder data environment.