Requirement 7: Restrict access to cardholder data

Restrict access to cardholder data by business need-to-know

To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.

Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

Section PCI Requirement Comments Responsibilities on Artsman Cloud
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.   Artsman: web sales and database
Customers: user access setup/permissions
7.1.1 Define access needs for each role, including:
  • System components and data resources that each role needs to access for their job function
  • Level of privilege required (for example, user, administrator, etc.) for accessing resources
Access to various data can be set on a per user basis in Employee Access Customers: user access setup/permissions
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. Creating a user in Theatre Manger defaults to minimal access to card data/ and/or functions. Users are advised to only use the administrator account on a rare-need to administer the system basis. Customers: user access setup/permissions
7.1.3 Assign access based on individual personnel's job classification and functions   Customers: user access setup/permissions
7.1.4 Require documented approval by authorized parties specifying required privileges   Customers: user access setup/permissions
7.2 Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.

This access control system must include the following:

   
7.2.1 Coverage of all system components Refer to employee settings and function access for credit cards Customers: user access setup/permissions
7.2.2 Assignment of privileges to individuals based on job classification and function Customers: user access setup/permissions
7.2.3 Default "deny-all" setting Customers: user access setup/permissions
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.   Customers: user access setup/permissions