See why you should comply with PCI DSS Requirement 7 and restrict employee access to sensitive data.
Need-to-know is defined as the least amount of data required for an employee to be able to perform his/her job. PCI requirement 7 focuses on restricting access to cardholder data on a business “need-to-know” basis.
Typically, employees don’t share the same responsibilities. Your accountant has different responsibilities than your system administrator. If your accountant had the same system level privileges as your system administrator, you’ve potentially created a new attack vector within your organization. If the accountant’s system was compromised, hackers could use it as a pivot point, and leapfrog into other vulnerable systems within the network. This could eventually lead to a cardholder data breach. This is why Requirement 7 is crucial to security.
Here’s what you should know about PCI DSS Requirement 7 and restricting access to a “need-to-know” basis.
See also: PCI Requirement 7: 5 Reasons You Should Limit Employee Access to Your Data
Even though Requirement 7 is one of the smallest sections of the PCI DSS requirements, it’s one of the most vital.
The PCI DSS requires you to have an RBAC (Role-Based Access Control) solution. This allows you the ability to grant, suspend, and revoke access to all systems within your network, but most importantly, the systems within your cardholder data environment.
Not only does an RBAC solution allow system administrators the ability to create unique usernames and passwords for each individual within your organization, it also helps create a trail in tracking who, what, when, and where a system was accessed. Remember, shared or group usernames and passwords should never be used since they cannot be traced back to an individual if a breach were to occur.
Requirement 7 is fairly basic in nature, and when implemented properly, can provide system administrators the control and visibility they need to securely manage the network.
See also: The Importance of the PCI DSS: Why You Should Get Compliant
Here’s a list of job roles that might require access to sensitive data:
User access applies to anyone in need of access to your systems. The big question to ask yourself is, how much access does each individual employee need? This should be answered in the documentation and approval section of Requirement 7.
See also: SecurityMetrics PCI Guide
Restricting access on a need-to-know basis is only a portion of PCI DSS Requirement 7. All employees that are granted access to your network must be approved and documented by authorized personnel (see Requirement 7.1.4). For example, you should document the following:
This exercise of documentation and approval helps system administrators, supervisors, and managers track which users have access to what systems and the permissions they’ve been granted. As users move about the company (e.g., promotions, demotions, on-boarding, off-boarding) these documents need to be updated to reflect their new RBAC roles and permissions.
Here are a few additional PCI DSS Requirement 7 compliance tips:
.svg)
