PCI DSS Blog Series – Requirement 7

The Payment Card Industry Data Security Standard (PCI DSS) consists of nearly 400 individual controls, and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. We find that companies considering PCI are often caught off guard by how comprehensive the PCI DSS is. So, we thought we would help!

CompliancePoint’s PCI blog series will analyze each of the 12 Requirement families. We will outline common challenges our customers face with each requirement, answer some frequently asked questions, and finally, we will provide some pro tips on becoming PCI Certified.

This week we will address Requirement 7: Restrict access to cardholder data by business need to know

Requirement 7: Restrict access to cardholder data by business need to know.

What does this requirement require at a high level?

Requirement 7 of the PCI DSS essentially concentrates on restricting the access to critical systems and cardholder data only to personnel that are authorized based strictly on their job function and role within the company. This requirement is mainly about controlling access to PCI In-Scope systems and granting access privileges strictly to those who “need to know” based on their business needs.

This requirement includes the following:

• Assigning access to employees based on job function/classification,
• Defining requirements for access pertaining to each individual role,
• Restricting access to privileged user IDs to least privileges necessary,
• Implementing an access control system for system components, and
• Setting these systems to “deny all”

Why is compliance with this requirement important (beyond getting certified)?

Sensitive information could be used maliciously. It is critical that important data, and access to systems that store data is only allowed by authorized personnel. There must be processes in place to limit access based on job responsibilities and roles to reduce those risks.

The more individuals who have access to cardholder data, the more likely that a user’s account will be compromised and used maliciously. Limiting access to those with a legitimate business need can assist a company in preventing the misuse of cardholder data through malice or accident.

Assigning least privileges also aids in the prevention of users incorrectly or accidentally altering an application configuration or modifying the security settings. Enforcing least privilege may also help to minimize the scope of damage if an unauthorized individual gathers access to a user ID. Without a mechanism to curb access based on user’s need to know, a user may unknowingly be granted access to cardholder data. Unauthorized access can often result in the theft of files, data, and other crucial information.

While these PCI controls apply to the “Cardholder Data Environment” or “CDE”, they are excellent best practices to apply throughout an organization’s entire infrastructure.

Common Challenges & Tips for Success:

1. Define access needs for each role.
   Identifying roles within the company is always the first step towards making sure that only those with business needs can gain access to critical data and systems. When these roles have been established, the business may then evaluate the level of privilege required and limit access where needed.
   
   It is important to define the access needs and the privilege assignments for each job function and role. An organization should define at least the following criteria for every role:
   • System components and data sources that each role needs for business and job functions
   • The level of privilege required to access resources (user, administrator, etc.)
   • Use the concept of “Least Privilege” to set a baseline for all roles
2. Grant access to, and document authorized users
   All organizations should have a process to log their electronically or written approvals.
   The process should confirm that individuals with access and special privileges are known and acknowledged by management while also ensuring that their access is needed for their job role.
   
   The process should also employ the same type of form for logging each subsequent privilege change.
3. Implement an access control system that restricts access based on an individual’s “need to know” and denies access to everyone else
   An organization should always begin by denying access to all systems and then granting privileges as needed by the roles defined in the previous steps. Without the use of a mechanism restricting access based on what the user should know, unauthorized access to cardholder data may occur unknowingly.
   
   Where possible, use access control systems that possess the ability to automate the process of restricting access and assigning privileges.
   
   Organizations are permitted to have one or more access control systems to manage user access and should pick the type of control system that best meets their needs. The three main types of access control systems include:
   • Role Based Access Control (RBAC)
   • Discretionary Access Control (DAC)
   • Mandatory Access Control (MAC)
   
   
4. Periodically review all user access permissions
   People shift in their positions constantly within an organization. An administrator may move to a different role and no longer need access to a system. An organization must have processes in place to periodically ensure that a user’s access to sensitive systems is still in line with their role.

Common Questions:

1. What if a company does not utilize an automated change management system for requests and approvals?
   • A company does not need an automated system but if they do not have one, they must still meet the required areas listed in the PCI DSS.
   • The company must create a formal process for requesting access or requiring approval
2. What does “least privilege” mean in terms of access?
   • The fundamental principle of least privilege is a security concept in which an individual is given the minimum level of access or permissions needed to perform their job.
   • Each individual is essentially given the bare minimum privileges needed to complete their job; this concept minimizes risk.
   • While ”Need to Know” suggest that the individual has a legitimate business justification to access something, least privilege is known as the enforcement method that limits access to that something, and what the individual can accomplish with that something.
3. Why does an access control system need to be implemented?
   • Access controls systems are crucial in the protection of companies against privacy breaches, data theft, and cyber-attacks.
   • The four main elements of access control are identification, authentication, authorization, and lastly auditing.

Conclusion

The goal of the PCI DSS is to protect the networks and environments that store, process, or transmit cardholder data. Protecting an organizations network(s) starts with ensuring that the traffic and data flowing in and out of your environment is explicitly allowed and required in order to run the revenue driving services for your organization. For those considering going down the path of PCI compliance, understanding and documenting all the connections flowing through your organization should be step one.

Check Out Other Posts in this Series

• PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• PCI DSS Requirement 3: Protect stored cardholder data
• PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
• PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• PCI DSS Requirement 6: Develop and maintain secure systems and applications
• PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
• PCI DSS Requirement 8: Identify and authenticate access to system components
• PCI DSS Requirement 9: Restrict physical access to cardholder data
• PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
• PCI DSS Requirement 11: Regularly test security systems and processes
• PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our consultants have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about this requirement or how CompliancePoint can assist your organization with preparing for your PCI DSS Certification.