Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

PCI-DSS: Requirement 7

PCI-DSS requirement 7 calls for merchants and service providers to ensure that cardholder data is restricted based on business responsibilities. Essentially, this means that access to important and vulnerable credit card data should be restricted to only authorised users.

What is PCI-DSS Requirement 7?

To achieve this, your business will need to demonstrate that your systems and processes limit access on a ‘need to know’ basis – allowing the appropriate users to access the minimum amount of data required to do their job.

PCI-DSS Requirement 7.1: Limit access to system components and cardholder data based on business needs.

The risk of a data breach only increases when more people have access to cardholder data within a company. This is why limiting access based on legitimate business needs will prevent a compromise based on either misuse or negligence.

The first step in PCI-DSS requirement 7 compliance states that this should be demonstrated within a written policy that includes:

  • Clearly defined access needs to be outlined for each role.
  • User IDs that provide access should only allow the user visibility to the minimum amount of data required to do their job.
  • Access should be based on the job roles and requirements of staff.
  • All access needs to be approved by authorised personnel – this can be either digitally or in writing.

PCI-DSS Requirement 7.1.1: Define the access requirements for each job role.

To ensure cardholder data access is limited to only those who need it, your business should clearly outline the visibility requirements for each job role for all necessary system components. You should also determine the specific needs that each role will have to carry out their assigned tasks.

Once the access needs have been defined, this can be granted accordingly. This also means that the following aspects can be taken into consideration:

  • The specific system components and data sources each role requires for business needs.
  • The level of privilege required to access resources – this includes user, admin, editor, etc.

Once this step is complete, your business can then decipher the level of privilege required.

PCI-DSS Requirement 7.1.2: Restrict access user IDs to grant the minimum privileges required to fulfil job responsibilities.

The level of ‘privilege’ (access rights) a user ID has should be the minimum amount necessary to perform their job responsibilities. These include database administrators, general system administrators, backup managers, and editors.

This prevents any mistakes from being made by inexperienced or uninformed users who could impact the configuration or security settings of the software, which could have significant consequences.

PCI-DSS Requirement 7.1.3: Assign access to employees based on job responsibilities.

Now the requirements for user IDs have been confirmed, you will be able to assign the relevant staff each privilege based on their job role – therefore making the process much more manageable.

PCI-DSS Requirement 7.1.4: Request documented approval from the relevant parties on assigned privileges.

It’s important to gain the approval of the appropriate management when it comes to assigning user IDs and privilege. This will need to be either written down or electronically documented to keep track of the roles assigned to each person, so that any mistakes can be traced back to the source.

PCI-DSS Requirement 7.2: Create an access control system restricts access based on user authority, that is set to ‘deny all’ unless authorised.

Access control systems will automate any access limitation unless the person has been given specific authorisation. There could be more than one access control system to manage user access within a business.

These access control systems will need to include:

  • A scope of all relevant system components.
  • Privileges assigned to staff based on job classification.
  • A default ‘deny all’ rule.

By implementing a ‘deny all’ rule, your business will ensure that no one can access the data unless a specific rule allows for visibility.

PCI-DSS Requirement 7.3: Ensure that security policies and operational procedures are documented, in use, and known to all relevant staff.

Your workforce will need to know and follow all security policies and procedures to ensure that access has been continuously monitored and no unauthorised personnel can gain visibility.

Compliance as you work with Hicomply

If you’re looking to meet all the PCI-DSS requirements, including PCI-DSS Requirement 6, we can help. At Hicomply, we know that the process can seem long-winded and confusing, which is why we offer a full ISMS solution that allows you to keep everything you need to achieve certification in one place. Contact us today for a demo.