Main menu
You are here
Requirement 7: Restrict access to cardholder data
Restrict access to cardholder data by business need-to-know
To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.
Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.
| Section | PCI Requirement | Comments | Responsibilities on Artsman Cloud |
| 7.1 | Limit access to system components and cardholder data to only those individuals whose job requires such access. |
Artsman: web sales and database
Customers: user access setup/permissions |
|
| 7.1.1 | Define access needs for each role, including:
|
Access to various data can be set on a per user basis in Employee Access | Customers: user access setup/permissions |
| 7.1.2 | Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. | Creating a user in Theatre Manger defaults to minimal access to card data/ and/or functions. Users are advised to only use the administrator account on a rare-need to administer the system basis. | Customers: user access setup/permissions |
| 7.1.3 | Assign access based on individual personnel's job classification and functions | Customers: user access setup/permissions | |
| 7.1.4 | Require documented approval by authorized parties specifying required privileges | Customers: user access setup/permissions | |
| 7.2 | Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.
This access control system must include the following: |
||
| 7.2.1 | Coverage of all system components | Refer to employee settings and function access for credit cards | Customers: user access setup/permissions |
| 7.2.2 | Assignment of privileges to individuals based on job classification and function | Customers: user access setup/permissions | |
| 7.2.3 | Default "deny-all" setting | Customers: user access setup/permissions | |
| 7.3 | Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. | Customers: user access setup/permissions |