• 7.1
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4

Requirement 7.1

Limit access to system components and cardholder data to only those individuals whose job requires such access.

Testing Procedure

7.1
Examine written policy for access control, and verify that the policy incorporates 7.1.1 through 7.1.4 as follows:

• Defining access needs and privilege assignments for each role
• Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities
• Assignment of access based on individual personnel’s job classification and function
• Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.

Guidance

The more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice.

• 7.1
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4

Requirement 7.1.1

Define access needs for each role, including:

• System components and data resources that each role needs to access for their job function
• Level of privilege required (for example, user, administrator, etc.) for accessing resources.

Testing Procedure

7.1.1
Select a sample of roles and verify access needs for each role are defined and include:

• System components and data resources that each role needs to access for their job function
• Identification of privilege necessary for each role to perform their job function.

Guidance

In order to limit access to cardholder data to only those individuals who need such access, first it is necessary to define access needs for each role (for example, system administrator, call center personnel, store clerk), the systems/devices/data each role needs access to, and the level of privilege each role needs to effectively perform assigned tasks. Once roles and corresponding access needs are defined, individuals can be granted access accordingly.

• 7.1
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4

Requirement 7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

Testing Procedure

7.1.2.a
Interview personnel responsible for assigning access to verify that access to privileged user IDs is:

• Assigned only to roles that specifically require such privileged access
• Restricted to least privileges necessary to perform job responsibilities.

7.1.2.b
Select a sample of user IDs with privileged access and interview responsible management personnel to verify that privileges assigned are:

• Necessary for that individual’s job function
• Restricted to least privileges necessary to perform job responsibilities.

Guidance

When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator.

Assigning least privileges helps prevent users without sufficient knowledge about the application from incorrectly or accidentally changing application configuration or altering its security settings. Enforcing least privilege also helps to minimize the scope of damage if an unauthorized person gains access to a user ID.

• 7.1
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4

Requirement 7.1.3

Assign access based on individual personnel’s job classification and function.

Testing Procedure

7.1.3
Select a sample of user IDs and interview responsible management personnel to verify that privileges assigned are based on that individual’s job classification and function.

Guidance

Once needs are defined for user roles (per PCI DSS requirement 7.1.1), it is easy to grant individuals access according to their job classification and function by using the already-created roles.

• 7.1
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4

Requirement 7.1.4

Require documented approval by authorized parties specifying required privileges.

Testing Procedure

7.1.4
Select a sample of user IDs and compare with documented approvals to verify that:

• Documented approval exists for the assigned privileges
• The approval was by authorized parties
• That specified privileges match the roles assigned to the individual.

Guidance

Documented approval (for example, in writing or electronically) assures that those with access and privileges are known and authorized by management, and that their access is necessary for their job function.

• 7.2
• 7.2.1
• 7.2.2
• 7.2.3

Requirement 7.2

Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. This access control system must include the following: (See 7.2.1 through 7.2.3)

Testing Procedure

7.2
Examine system settings and vendor documentation to verify that an access control system is implemented as follows: (See 7.2.1 through 7.2.3)

Guidance for 7.2 through 7.2.3

Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. An access control system automates the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access.

Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.

• 7.2
• 7.2.1
• 7.2.2
• 7.2.3

Requirement 7.2.1

Coverage of all system components

Testing Procedure

7.2.1
Confirm that access control systems are in place on all system components.

Guidance for 7.2 through 7.2.3

Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. An access control system automates the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access.

Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.

• 7.2
• 7.2.1
• 7.2.2
• 7.2.3

Requirement 7.2.2

Assignment of privileges to individuals based on job classification and function.

Testing Procedure

7.2.2
Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.

Guidance for 7.2 through 7.2.3

Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. An access control system automates the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access.

Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.

• 7.2
• 7.2.1
• 7.2.2
• 7.2.3

Requirement 7.2.3

Default “deny-all” setting.

Testing Procedure

7.2.3
Confirm that the access control systems have a default “deny-all” setting.

Guidance for 7.2 through 7.2.3

Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. An access control system automates the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access.

Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.

• 7.3

Requirement 7.3

Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.

Testing Procedure

7.3
Examine documentation and interview personnel to verify that security policies and operational procedures for restricting access to cardholder data are:

• Documented,
• In use, and
• Known to all affected parties.

Guidance

Personnel need to be aware of and following security policies and operational procedures to ensure that access is controlled and based on need-to-know and least privilege, on a continuous basis.

Goal: Implement Strong Access Control Measures

Requirement 7.0

Restrict access to cardholder data by business need to know

To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.

“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.