Disclaimer: This guide has been created with reference to official documents on the PCI DSS published by relevant government authorities. It is intended to provide a clear and comprehensive explanation of PCI DSS Requirement 7. The contents are for informational purposes only and should not be considered as legal advice. Organizations should consult with a qualified PCI DSS consultant to ensure compliance.
Requirement 7: Restrict access to cardholder data by business need to know
This PCI DSS requirement is further divided into requirements 7.1, 7.2 and 7.3. Let's explore these in detail.
PCI DSS Requirement 7.1: Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
This requirement is further divided into sub-requirements 7.1.1 and 7.1.2. Let's explore these in detail.
PCI DSS Requirement 7.1.1: Manage security policies and procedures for access control
This requirement focuses on the effective management of all security policies and operational procedures related to access controls outlined in Requirement 7. It mandates that these policies and procedures are:
- Documented: Clearly defined and written down in a formal document.
- Kept Up-to-Date: Regularly reviewed and updated to reflect any changes in your systems, personnel, or access control practices.
- In Use: Actively implemented and followed by your personnel.
- Communicated: Made readily available and understood by all personnel whose roles are impacted by these policies and procedures.
Business implication:
- Reduced risk of unauthorized access: By effectively managing access control policies and procedures, you significantly reduce the risk of unauthorized access to your systems and cardholder data. This helps safeguard your business from potential financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Develop Clear and Concise Policies: Create well-defined access control policies that outline access rights and privileges for different user roles within your organization.
- Maintain Up-to-Date Procedures: Regularly review and update your access control procedures to reflect changes in your environment, personnel, or technologies.
- Implement Training Programs: Conduct regular training sessions for your employees to ensure they understand the access control policies and procedures and how to comply with them.
- Maintain Easy Access to Documentation: Make your access control policies and procedures readily available to all relevant personnel, either electronically or in hard copy format.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.1.1 | Examine documented access control policies and procedures. Interview personnel involved in access control activities. | The assessor will review your documented access control policies and procedures to verify they address all elements outlined in the requirement (documented, up-to-date, in use, communicated). The assessor will also interview personnel responsible for access control to understand how they implement and follow the established policies and procedures. |
PCI DSS Requirement 7.1.2: Assign and communicate access control roles and responsibilities
This requirement mandates that you clearly define and document the roles and responsibilities associated with access control activities outlined in Requirement 7. These roles and responsibilities should be assigned to specific personnel within your organization, and all relevant individuals must understand their assigned duties.
Definitions:
- Roles: Defined job functions within your organization that carry specific access control responsibilities. (e.g., System Administrator, Security Analyst)
- Responsibilities: The specific tasks and activities assigned to each role related to access control. (e.g., granting user access, reviewing access logs, managing password resets)
Business implication:
- Reduced Risk of Human Error: By clearly assigning and communicating access control responsibilities, you minimize the risk of human error in granting or managing access privileges. This helps prevent unauthorized access to your systems and cardholder data.
Best practices to meet this PCI DSS requirement:
- Develop Role-Based Access Control (RBAC): Implement a role-based access control (RBAC) system that defines user roles with pre-defined access permissions based on their job functions.
- Document Roles and Responsibilities: Clearly document the access control responsibilities associated with each defined role.
- Assign Roles to Personnel: Assign specific access control roles to appropriate personnel within your organization.
- Provide Access Control Training: Train personnel on their assigned access control responsibilities and ensure they understand the importance of following established procedures.
- Implement Acknowledgement Process: Consider having personnel acknowledge their understanding and acceptance of their assigned access control roles and responsibilities.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.1.2.a | Examine documentation outlining access control roles and responsibilities.Verify the documentation assigns these roles to specific personnel. | The assessor will review your documented access control roles and responsibilities to ensure they are clearly defined and assigned to specific positions within your organization. |
7.1.2.b | Interview personnel assigned access control roles.Focus on their understanding of their assigned responsibilities. | The assessor will interview personnel responsible for access control activities to verify they understand the specific tasks and duties associated with their assigned role. |
PCI DSS Requirement 7.2: Access to system components and data is appropriately defined and assigned.
This requirement is further divided into sub-requirements 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5 and 7.2.6. Let's explore these in detail.
PCI DSS Requirement 7.2.1: Define and implement an access control model
This requirement mandates that you establish a well-defined access control model for your systems and data that adheres to the following principles:
- Appropriate Access: Grant access privileges that are aligned with your organization's specific business needs and access requirements.
- Job-Based Access: Grant access to system components and data resources based on an individual's job classification and the functions they perform.
- Least Privilege: Assign the minimum level of access privileges (permissions) required for an individual to perform their job duties effectively. This principle minimizes the potential damage caused by unauthorized access or human error.
Business implication:
- Reduced Risk of Data Breaches: By implementing a robust access control model based on these principles, you significantly reduce the risk of unauthorized access to sensitive cardholder data. This helps safeguard your business from potential financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Develop an Access Control Policy: Create a documented access control policy that outlines your organization's access control model and how it aligns with the principles mentioned above.
- Implement Role-Based Access Control (RBAC): Consider implementing an RBAC system that defines user roles with pre-defined access permissions based on their job functions.
- Regularly Review Access Privileges: Conduct periodic reviews of user access privileges to ensure they remain aligned with current job functions and access needs.
- Implement Strong Password Policies: Enforce strong password policies to further enhance access control security.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.2.1.a | Examine documented access control policies and procedures.Interview personnel involved in access control activities. | The assessor will review your documented access control policies and procedures to verify they define a model that incorporates all specified elements (appropriate access, job-based access, least privilege).The assessor will also interview personnel responsible for access control to understand how the access control model is implemented and followed in practice. |
7.2.1.b | Examine access control settings within your systems.Focus on verifying how access is granted based on job functions and least privilege principles. | The assessor will review the configuration of your access control systems to verify that access permissions are assigned based on job functions and adhere to the principle of least privilege. This may involve reviewing user accounts and their assigned permissions within the system. |
PCI DSS Requirement 7.2.2: Grant access based on job function and least privilege
This requirement focuses on the process of assigning access privileges to users, including privileged users, within your organization. It mandates that access be granted based on two key principles:
- Job Classification and Function: Access permissions should be assigned based on an individual's job role and the specific functions they perform within your organization.
- Least Privilege: Users should only be granted the minimum level of access privileges (permissions) required to effectively complete their job duties. This minimizes the potential damage caused by unauthorized access or human error.
Business implication:
- Reduced Risk of Data Security Incidents: By adhering to the principles of least privilege and job-based access control, you significantly reduce the risk of unauthorized access to sensitive cardholder data. This helps safeguard your business from potential financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Develop Clear Role Definitions: Define clear roles within your organization that outline the specific responsibilities and access needs associated with each role.
- Implement Role-Based Access Control (RBAC): Consider implementing an RBAC system that pre-defines access permissions for each role, simplifying the access assignment process.
- Regularly Review Access Privileges: Conduct periodic reviews of user access privileges to ensure they remain aligned with current job functions and access needs.
- Implement Strong Password Policies and Multi-Factor Authentication (MFA): Enforce strong password policies and consider implementing multi-factor authentication (MFA) for privileged accounts to further enhance access control security.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.2.2.a | Examine documented access control policies and procedures.Focus on sections related to user access assignment. | The assessor will review your documented access control policies and procedures to verify they explicitly state that access will be assigned based on job classification, function, and the principle of least privilege. |
7.2.2.b | Examine user access settings within your systems, including privileged user accounts.Interview personnel responsible for managing access control. | The assessor will review the configuration of your access control systems to verify that user and privileged user access permissions are assigned based on job function and adhere to the least privilege principle. This may involve reviewing user accounts and their assigned permissions within the system.The assessor will also interview personnel responsible for assigning access to understand how they implement the principle of least privilege in practice. |
7.2.2.c | Interview personnel responsible for assigning access privileges, with a specific focus on privileged user accounts. | The assessor will interview personnel responsible for assigning privileged user accounts to verify they understand and follow the least privilege principle when granting access. |
PCI DSS Requirement 7.2.3: Require approval for access privileges
This requirement mandates that all access privileges granted to users, including privileged users, must be formally approved by authorized personnel within your organization. This approval process helps ensure that access is granted only to those who legitimately require it and aligns with their job responsibilities.
Definitions:
- Access Privileges: The permissions assigned to a user account that determine what actions they can perform within a system (e.g., read, write, modify, delete data).
- Authorized Personnel: Individuals within your organization designated with the authority to approve user access privileges. This typically includes security administrators or managers.
Business implication:
- Reduced Risk of Unauthorized Access: By requiring formal approval for all access privileges, you significantly reduce the risk of unauthorized access to sensitive cardholder data. This helps safeguard your business from potential financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Develop an Access Approval Process: Establish a documented process for requesting, reviewing, and approving access privileges. This process should clearly define who can request access, who can approve access, and the required documentation for each request.
- Define Authorized Personnel: Clearly identify the individuals within your organization who are authorized to approve access requests for different system components and privilege levels.
- Maintain Approval Records: Maintain documented records of all access privilege approvals, including the user, requested privileges, justification, and approval signature from authorized personnel.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.2.3.a | Examine documented access control policies and procedures.Focus on sections related to access approval processes. | The assessor will review your documented access control policies and procedures to verify they define a clear process for requesting and approving all access privileges by authorized personnel. |
7.2.3.b | Sample a selection of user accounts, including privileged users.For each user account, review the assigned privileges and compare them to documented access approval records. | The assessor will select a sample of user accounts, including privileged users, and examine their assigned access privileges within your systems.The assessor will then compare the assigned privileges for each user account with documented access approval records. This verification will ensure that:Documented approval exists for the assigned privileges.The approval was granted by authorized personnel within your organization.The specified privileges in the approval records match the actual permissions assigned to the user account. |
PCI DSS Requirement 7.2.4: Regularly review user access (currently a best practice)
This requirement mandates that you conduct periodic reviews of all user accounts and their associated access privileges within your organization. This includes accounts for employees, third-party vendors, and even accounts used to access cloud services. The purpose of these reviews is to ensure that:
- User accounts and access privileges remain appropriate based on current job functions.
- Any inappropriate access is identified and addressed promptly.
- Management acknowledges that the reviewed access remains appropriate.
Current Status: As of June 17, 2024, this requirement is considered a best practice. However, it will become a mandatory requirement by March 31, 2025.
Business implication:
- Reduced Risk of Data Breaches: By regularly reviewing user access, you can identify and remove any unnecessary or excessive access privileges. This helps minimize the risk of unauthorized access to sensitive cardholder data by individuals who may no longer require it or who have moved to different roles within your organization.
Best practices to meet this PCI DSS requirement:
- Establish a Review Process: Develop a documented process for conducting periodic reviews of all user accounts and access privileges. This process should define the frequency of reviews (at least every six months), who is responsible for conducting the reviews, and how inappropriate access will be addressed.
- Utilize Data Owners: Consider assigning "data owners" responsible for managing and monitoring access to data relevant to their job functions. These data owners can help ensure user access remains current and appropriate based on changing roles and responsibilities.
- Management Acknowledgement: Obtain management acknowledgement that the reviewed access remains appropriate after each review cycle.
How to Comply with This Requirement (Best Practice):
Requirement | Actions required | How the assessment is done |
---|---|---|
7.2.4.a | Examine documented access control policies and procedures.Focus on sections related to user access review processes. | The assessor will review your documented access control policies and procedures to verify they define a process for reviewing all user accounts and access privileges, including those for third-party vendors and cloud services, at least every six months. |
7.2.4.b | Interview personnel responsible for conducting user access reviews.Examine documented results of past user access reviews (if available). | The assessor will interview personnel responsible for conducting user access reviews to understand their process and ensure it aligns with the documented procedures.The assessor will also examine documented results of past user access reviews (if available) to verify they demonstrate that reviews were conducted at least every six months and addressed any identified inappropriate access. |
PCI DSS Requirement 7.2.5: Manage Application and System Accounts (Currently a Best Practice)
This requirement focuses on the secure management of application and system accounts within your organization. These accounts are used by applications and systems themselves to perform specific functions, rather than being directly assigned to individual users. The requirement mandates that access privileges granted to these accounts adhere to the principles of:
- Least Privilege: Application and system accounts should only be granted the minimum level of access privileges absolutely necessary for them to function properly.
- Limited Access: Access for these accounts should be restricted to the specific systems, applications, or processes that require their use.
Current Status: As of June 17, 2024, this requirement is considered a best practice. However, it will become a mandatory requirement by March 31, 2025.
Business implication:
- Reduced Risk of Data Breaches: By limiting access privileges for application and system accounts, you significantly reduce the potential damage if these accounts are compromised by attackers. This helps safeguard your business from potential financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Develop a Management Process: Establish a documented process for managing and assigning access privileges to application and system accounts. This process should ensure adherence to the least privilege and limited access principles.
- Define Baselines: Consider establishing baseline access configurations for different types of application and system accounts. These baselines should limit unnecessary privileges and access, such as membership in privileged groups, remote access capabilities, etc.
- Regular Reviews: Conduct periodic reviews of application and system account privileges to ensure they remain aligned with current needs and the principle of least privilege.
How to Comply with This Requirement (Best Practice):
Requirement | Actions required | How the assessment is done |
---|---|---|
7.2.5.a | Examine documented access control policies and procedures.Focus on sections related to application and system account management. | The assessor will review your documented access control policies and procedures to verify they define a process for managing and assigning application and system account privileges in accordance with the least privilege and limited access principles. |
7.2.5.b | Examine access privileges assigned to application and system accounts.Interview personnel responsible for managing these accounts. | The assessor will examine the access privileges assigned to sample application and system accounts within your systems.The assessor will also interview personnel responsible for managing these accounts to understand how they implement the least privilege and limited access principles in practice. |
This requirement is further divided into 7.2.5.1. Let's explore this in detail.
PCI DSS Requirement 7.2.5.1: Periodically Review Application and System Account Access (Currently a Best Practice)
This requirement builds upon the concept of managing application and system accounts with least privilege (7.2.5). It mandates that you conduct periodic reviews of access privileges assigned to these accounts to ensure they remain appropriate and aligned with current needs.
Definitions:
- Application and System Accounts: Accounts used by applications and systems themselves to perform specific functions, rather than by individual users.
- Targeted Risk Analysis (TRA): A PCI DSS requirement (12.3.1) that involves identifying and assessing security risks within your cardholder data environment. The frequency of reviews mentioned in 7.2.5.1 is determined by the outcome of your TRA.
Business implication:
- Reduced Risk of Data Breaches: By regularly reviewing access privileges for application and system accounts, you can identify and remove any unnecessary or excessive permissions. This helps minimize the potential damage if these accounts are compromised by attackers, safeguarding your business from financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Develop a Review Process: Establish a documented process for conducting periodic reviews of application and system account access privileges. This process should define the review frequency (based on your TRA) and procedures for addressing any identified inappropriate access.
- Utilize Review Results: Take corrective actions to address any inappropriate access privileges identified during the reviews.
- Management Acknowledgement: Obtain management acknowledgement that the reviewed access for application and system accounts remains appropriate after each review cycle.
How to Comply with This Requirement (Best Practice):
Requirement | Actions required | How the assessment is done |
---|---|---|
7.2.5.1.a | Examine documented access control policies and procedures.Focus on sections related to application and system account review processes. | The assessor will review your documented access control policies and procedures to verify they define a process for reviewing all application and system account access privileges at the frequency defined in your targeted risk analysis. |
7.2.5.1.b | Examine your documented targeted risk analysis (TRA).Focus on the section that defines the frequency for reviewing application and system account access. | The assessor will examine your documented TRA to verify it was conducted according to PCI DSS Requirement 12.3.1 and that it defines a specific frequency for reviewing application and system account access privileges. |
7.2.5.1.c | Interview personnel responsible for conducting application and system account reviews.Examine documented results of past reviews (if available). | The assessor will interview personnel responsible for conducting these reviews to understand their process and ensure it aligns with the documented procedures and defined frequency in the TRA.The assessor will also examine documented results of past reviews (if available) to verify they demonstrate that reviews were conducted at the specified frequency and addressed any identified inappropriate access. |
PCI DSS Requirement 7.2.6: Restrict access to cardholder data queries
This requirement focuses on securing access to repositories where you store cardholder data (CHD). It mandates that all user access to query these repositories be restricted in the following ways:
- Programmatic Methods and Least Privilege: Access to query CHD repositories should be granted through applications or automated scripts (programmatic methods). These methods should enforce user roles and the principle of least privilege, ensuring users only have access to perform specific actions and see the data relevant to their job functions.
- Administrator Direct Access: Only authorized administrators can directly access or query CHD repositories using tools that provide full, unfiltered access.
Definitions:
- Programmatic Methods: Granting access through controlled methods like database stored procedures, allowing users to perform specific actions on data within a table. This avoids direct, unfiltered access by end users.
- Cardholder Data (CHD): Any data that can be used to identify or access a cardholder's account. This includes primary account number (PAN), expiration date, service code, and card verification value (CVV).
Business implication:
- Reduced Risk of Data Breaches: By restricting direct access to CHD repositories and enforcing programmatic methods with least privilege, you significantly reduce the risk of unauthorized access or misuse of sensitive cardholder data. This helps safeguard your business from potential financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Develop Secure Access Methods: Design applications or scripts that control access to CHD repositories through programmatic methods. These methods should enforce user roles and least privilege principles.
- Limit Direct Administrator Access: Restrict direct access to CHD repositories to a minimal number of authorized administrators who require it for essential tasks.
- Regular Reviews: Conduct periodic reviews of user access to CHD repositories to ensure continued compliance with this requirement.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.2.6.a | Examine documented access control policies and procedures.Interview personnel responsible for granting access to CHD repositories. | The assessor will review your documented access control policies and procedures to verify they define a process for granting user access to query repositories of stored CHD that adheres to the principles outlined in this requirement (programmatic methods and least privilege).The assessor will also interview personnel responsible for granting access to understand how they implement these controls in practice. |
7.2.6.b | Examine the configuration settings for querying CHD repositories within your systems. | The assessor will examine the configuration settings of the systems or tools used to access CHD repositories. This verification will ensure they are configured to restrict direct, unfiltered access by end users and only allow access through approved programmatic methods. |
PCI DSS Requirement: 7.3 Access to system components and data is managed via an access control system(s).
This requirement is further divided into sub-requirements 7.3.1, 7.3.2, and 7.3.3. Let's explore these in detail.
PCI DSS Requirement 7.3.1: Implement an access control system
This core requirement mandates that you have an access control system (or systems) in place to manage user access to all system components within your environment that store, process, or transmit cardholder data (CHD). This system should restrict access based on the principle of "need to know."
Definitions:
- Access Control System (ACS): A software or hardware-based system that manages user access to computer systems, networks, and resources. It enforces access control policies and procedures by verifying user identities and granting or denying access permissions.
- Need to Know: A principle that grants access to data and systems only to authorized users who require it to perform their job duties.
Business implication:
- Reduced Risk of Data Breaches: By implementing an access control system that enforces "need to know," you significantly reduce the risk of unauthorized access to sensitive CHD. This helps safeguard your business from potential financial losses, reputational damage, and regulatory penalties associated with data breaches.
Best practices to meet this PCI DSS requirement:
- Centralized Access Control: Implement a centralized access control system that manages user access across all systems containing CHD. This simplifies administration and ensures consistent enforcement of access control policies.
- Role-Based Access Control (RBAC): Consider implementing RBAC, which pre-defines access permissions for different user roles within your organization. This approach streamlines access assignment and ensures users only have the privileges they need for their jobs.
- Regular Reviews: Conduct periodic reviews of user access to ensure continued compliance with the principle of "need to know."
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.3.1 | Examine vendor documentation for your access control system(s).Review system configuration settings. | The assessor will examine the vendor documentation for your access control system(s) to verify it is designed to manage user access and enforce access control policies.The assessor will also review the configuration settings of your access control system(s) to ensure they are configured to restrict access based on user roles and the principle of "need to know." This verification may involve examining user access assignments and permissions within the system. |
PCI DSS Requirement 7.3.2: Enforce User Permissions Based on Job Function
This requirement builds upon the concept of having an access control system (7.3.1). It mandates that your access control system be configured to enforce the access permissions assigned to individual users, applications, and systems. These permissions should be based on the job classification and function of each user or entity.
Definitions:
- Job Classification and Function: The specific role and responsibilities assigned to an individual, application, or system within your organization.
Business implication:
- Reduced Risk of Data Breaches: By ensuring that user permissions are aligned with job functions, you minimize the risk of unauthorized access to sensitive CHD. Users will only have the access privileges they need to perform their tasks, reducing the potential for accidental misuse or exploitation by attackers.
Best practices to meet this PCI DSS requirement:
- Minimize Use of Group Permissions: While group memberships can be helpful for managing access, avoid relying solely on them to assign permissions. Focus on assigning permissions directly to individual users, applications, or systems based on their specific job functions.
- Least Privilege Principle: Adhere to the principle of least privilege when assigning permissions. Users, applications, and systems should only have the minimum level of access absolutely necessary to perform their intended functions.
- Regular Reviews: Conduct periodic reviews of user and system permissions to ensure they remain aligned with current job functions and the principle of least privilege.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.3.2 | Examine vendor documentation for your access control system(s).Review system configuration settings, focusing on user and system permission assignments. | The assessor will examine the vendor documentation for your access control system(s) to verify it has the capability to enforce permissions based on individual user accounts, applications, and systems.The assessor will then review the configuration settings within your access control system. This verification will involve examining how user permissions are assigned and ensuring they are aligned with documented job classifications and functions. |
PCI DSS Requirement 7.3.3: Set Access Control to "Deny All" by Default
This critical requirement mandates that your access control system(s) be configured with a default setting of "deny all." This means that by default, no user, application, or system has access to any resources within your environment. Access permissions must be explicitly granted through specific rules defined within the access control system.
Definitions:
- Deny All: A security principle where access to resources is explicitly denied by default. Users or systems must be granted specific permissions to access specific resources.
Business implication:
- Reduced Risk of Data Breaches: The "deny all" default significantly reduces the risk of unauthorized access to sensitive CHD. Even in the event of misconfigurations or inadvertent permission assignment errors, unauthorized users or systems will still be denied access by default.
Best practices to meet this PCI DSS requirement:
- Verify Default Settings: During initial system configuration and after any updates, verify that the access control system is set to "deny all" by default.
- Document Configuration: Document the default access settings of your access control system(s).
- Regular Reviews: Conduct periodic reviews to ensure the "deny all" default setting remains in place and has not been inadvertently changed.
How to comply with this PCI DSS requirement:
Requirement | Actions required | How the assessment is done |
---|---|---|
7.3.3 | Examine vendor documentation for your access control system(s).Review system configuration settings, focusing on the default access behavior. | The assessor will examine the vendor documentation for your access control system(s) to verify it has the capability to enforce a "deny all" default setting. The assessor will then review the configuration settings of your access control system to ensure the default access behavior is set to "deny all." This may involve reviewing relevant configuration files, logs, or user interface options within the system. |
Take the lead in data protection best practices with our unified SIEM solution!