Category: PCI DSS Requirement 7
Restrict Access to System Components and Cardholder Data by Business Need to Know
Inadequate access control definitions and rules can allow unauthorised individuals access to vital systems or sensitive cardholder data. Systems and procedures that restrict access based on need-to-know and job responsibilities must be in place to guarantee that only authorized personnel can access critical data.
Rules that grant users access to systems, applications, and data are deemed “access rights” and “privileges,” respectively. A privilege enables a user to carry out a specific action or function in relation to a system, application, or data. A user may, for instance, have access rights to specific data; however, the user’s privileges determine
whether they can only read the data or can also modify or delete it. Privileges and access rights should be managed carefully and granularly.
The term “need to know” refers to granting access to only the minimum amount of data required to carry out a task. The term “least privileges” refers to providing only the essential privileges for a job.
User accounts and access for employees, consultants, contractors, internal and external vendors, and other third parties (for example, for providing support or maintenance services) are subject to these requirements. The entity’s application and system accounts, also known as “service accounts,” are subject to the same restrictions.
It should be noted that consumers/customers/individual cardholders do not have to meet these specific requirements.