Req 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

Implement principles of least privilege for access.

Responsibility

Merchant

Compliance Status

In Progress

60%

Overview

To minimize the risk of unauthorized access, user privileges should be restricted to the minimum necessary to perform job responsibilities. This is known as the principle of least privilege.

Key Actions for Compliance

A non-exhaustive list of actions your organization should take to meet this requirement.

Define access needs for each role, including system components and data.
Implement an access control system that enforces privileges based on roles and need to know.
Set all access rights to "deny-all" by default.
Perform regular reviews of user access rights.

Testing Procedures (Simplified)

How auditors may verify that this requirement is met.

Examine access control policies and procedures.
Review user access lists and compare them against job descriptions to ensure the principle of least privilege is enforced.
Verify that the access control system is configured to "deny-all" by default.

PCI Tracker

Req 7: Restrict Access to System Components and Cardholder Data by Business Need to Know