You are here

Requirement 7: Restrict access to cardholder data

Subscribe to Syndicate
Restrict access to cardholder data by business need-to-know

To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities.

Need-to-know is when access rights are granted to only the least amount of data and privileges needed to perform a job.

Section PCI Requirement Comments
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.  
7.1.1 Define access needs for each role, including:
  • System components and data resources that each role needs to access for their job function
  • Level of privilege required (for example, user, administrator, etc.) for accessing resources
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.  
7.1.3 Assign access based on individual personnel's job classification and functions  
7.1.4 Require documented approval by authorized parties specifying required privileges  
7.2 Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.

This access control system must include the following:

7.2.1 Coverage of all system components Refer to employee settings and function access for credit cards
7.2.2 Assignment of privileges to individuals based on job classification and function
7.2.3 Default "deny-all" setting
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.