[co-author: Jalen West]
The Payment Card Industry Data Security Standard (PCI DSS) comprises nearly 400 individual controls and is an essential part of the business continuity of any merchant, service provider or sub-service provider involved in the processing of cardholder data. We find that companies considering PCI are often caught off guard by the comprehensiveness of PCI DSS. So, we thought we would help!
CompliancePoint’s PCI blog series will analyze each of the 12 requirement families. We’ll outline the common challenges our customers face for each requirement, answer some frequently asked questions, and finally provide some pro tips for becoming PCI certified.
This week we will discuss Requirement 7: Restrict access to cardholder data based on business needs
Requirement 7: Restrict access to cardholder data based on business needs.
What does this requirement require at a high level?
PCI DSS Requirement 7 focuses on restricting access to critical systems and cardholder data only to authorized personnel based strictly on their function and role within the business. . This requirement is primarily concerned with controlling access to PCI In-Scope systems and granting access privileges strictly to those who “need to know” based on their business needs.
This requirement includes the following:
- Assign access to employees based on job function/classification,
- Define access requirements for each individual role,
- Restrict access to privileged user IDs to the least privileges necessary,
- Implement an access control system for system components, and
- Set these systems to “deny all”
Why is compliance with this requirement important (beyond certification)?
Sensitive information could be used for malicious purposes. It is essential that important data and access to the systems that store the data is only permitted by authorized personnel. Processes should be in place to limit access based on job roles and responsibilities to reduce these risks.
The more people who have access to cardholder data, the more likely a user’s account will be compromised and used for malicious purposes. Limiting access to people with a legitimate business need can help a company prevent the misuse of cardholder data either maliciously or by accident.
Assigning least privileges also helps prevent users from incorrectly or accidentally modifying an application configuration or changing security settings. Applying least privilege can also help minimize the extent of damage if an unauthorized person gains access to a user ID. Without a mechanism to restrict access based on the user’s need-to-know, a user may unknowingly be granted access to cardholder data. Unauthorized access can often result in the theft of files, data, and other crucial information.
While these PCI controls apply to the “cardholder data environment” or “CDE,” they are excellent best practices to apply across an organization’s infrastructure.
Common challenges and tips for success:
- Define access requirements for each role.
Identifying roles within the business is always the first step to ensuring that only those with business needs can access critical data and systems. When these roles have been established, the business can then assess the level of privilege required and limit access if necessary.
It is important to define access requirements and privilege assignments for each function and role. An organization should define at least the following criteria for each role:
- System components and data sources that each role needs for business and professional functions
- The level of privilege required to access resources (user, administrator, etc.)
- Use the concept of “least privilege” to set a baseline for all roles
- Grant access and document authorized users
All organizations should have a process for recording their electronic or written approvals.
The process should confirm that those with special access and privileges are known and recognized by management while ensuring that their access is necessary for their position.
The process should also use the same type of form to log each subsequent privilege change.
- Implement an access control system that restricts access based on an individual’s “need to know” and denies access to everyone
An organization should always start by denying access to all systems and then grant privileges as needed by the roles defined in the previous steps. Without the use of a mechanism that restricts access based on what the user should know, unauthorized access to cardholder data can occur unknowingly.
Whenever possible, use access control systems that can automate the process of restricting access and assigning privileges.
Organizations are allowed to have one or more access control systems to manage user access and should choose the type of control system that best suits their needs. The three main types of access control systems include:
- Role Based Access Control (RBAC)
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Periodically review all user access permissions
People constantly change positions within an organization. An administrator can change roles and no longer need access to a system. An organization should have processes in place to periodically ensure that a user’s access to sensitive systems is still consistent with their role.
- What if a company doesn’t use an automated change management system for requests and approvals?
- A business does not need an automated system, but if it does not have one, it must still meet the required areas listed in the PCI DSS standard.
- The company must create a formal process to request access or seek approval
- What does “least privilege” mean in terms of access?
- The fundamental principle of least privilege is a concept of security in which an individual is granted the minimum level of access or permissions necessary to perform their job.
- Each individual is essentially granted the minimum privileges necessary to complete their job; this concept minimizes the risks.
- While “need to know” suggests that the individual has a legitimate business justification for accessing something, least privilege is known as the method of enforcement that limits access to that something and what the individual can accomplish with this something.
- Why should an access control system be implemented?
- Access control systems are crucial in protecting businesses from privacy breaches, data theft and cyberattacks.
- The four main elements of access control are identification, authentication, authorization and finally auditing.
The purpose of PCI DSS is to protect networks and environments that store, process, or transmit cardholder data. Protecting an organization’s networks starts with ensuring that traffic and data entering and leaving your environment are explicitly permitted and required in order to run revenue-generating services for your organization. For those considering embarking on the path to PCI compliance, understanding and documenting all of the connections flowing through your organization should be the first step.