-
This requirement specifies the processes and controls that should restrict each user’s access rights to the minimum they need to perform their duties on a “need-to-know” basis.
Requirement 7: Restrict access to system components and CHD by business “need to know”
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 18. Global state of PCI DSS compliance: Requirement 7
-
Full compliance: Full compliance improved slightly for Requirement 7. An average of just over 90% of organizations maintained full compliance across all base controls. Control 7.2 improved by 5.7 pp—a good achievement and very positive development.
Control gap: The control gap of Requirement 7 was slashed in half, from 6.7% to 3.2%. The performance improved across all base controls. Control 7.2 reduced by 5.4 pp from a high 8.9% gap to only 3.5% of controls found not in place during interim validation.
Compensating controls: No organizations applied compensating controls to meet Requirement 7.
In over 10 years of compliance trend analyses, 2019 was the only year in which one organization in the PSR dataset applied a compensating control to meet this requirement.
-
Figure 19. Requirement 7 control performance
-
-
A tip on sustainable control effectiveness
System access controls that are not restricted based on an individual’s job role and function can result in inconsistent applications of system access permissions and inappropriate levels of access to sensitive data. It’s important to establish access matrices that map system access requirements to job roles across the organization and to automate configuration management. These form the basis of effective role-based access control; additional permissions can be added with appropriate approvals.
-
Requirement 7: Restrict access to system components and cardholder data by business “need to know”
The goal
The goal of PCI DSS Key Requirement 7 is to maintain a reliable and sustainable capability to prevent unauthorized access to account data and systems across the CDE by effectively restricting access to system components and CHD by business “need to know,” and the capability to detect and respond to access control violations.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
Goal applicability and scope considerations
- IT components: All system components within the CDE, including related security system components that support access control to and from the CDE. The most common role-based access control (RBAC) is Windows® Active Directory® and Lightweight Directory Access Protocol (LDAP)
- People: All employees (such as IT and security staff, accountants, support staff, call center agents, and executives), contractors, consultants, and internal and external vendors and other third parties that provide support or maintenance services, and any individual that should access CHD or any system component within the CDE (any component that processes, stores and/or transmits account data, and also components that directly connect to or support such components)
- Documentation: Detailed documented standards and procedure for the configuration of all administrator and user accounts, including procedures to define, identify and assign different roles and responsibilities, access to data resources, required privilege levels, formal approval of access requests, and periodic internal audits for review and reconciliation between expected access privileges and actual system configurations
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Competence: Document an RBAC standard and procedures to restrict account data access to only those who need it to perform their job, to prevent all unauthorized exposure of account data
- Capability—process: Maintain the capability for the reliable, sustainable and effective access management process that covers all components within the CDE
- Capability—automation: Implement and maintain the use of automated tools to support the monitoring and frequent review of access privileges according to the “least privilege” principle. This should include the and periodic auditing and evaluation of access control systems to review consistency and effectiveness
- Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards. Regularly train and educate staff on how to follow the documented procedures
Strong dependencies and integration with other key requirements
- Requirement 8: Strong dependency and integration with user identity and authentication
- Requirement 10: Integration with logging and monitoring
- Requirement 2: Security configuration of system components
- Requirement 9: Integration with physical security controls
- Requirement 1: Integration with network security controls
Short-term objectives
- Standardization: Identify and document all access control mechanisms to ensure that all components across the CDE conform to authorized and approved access control systems, standards and procedures
- Automation and integration: Implement or update and integrate an automated RBAC system for centralized management and oversight of access control configurations across the CDE
- Internal audit: Identify all inactive users on in-scope systems and either permanently disable or delete them; identify and remove all group or shared usernames and passwords
- Hardening: Properly harden and configure network security components to protect the RBAC system from compromise
Long-term objectives
- Maturity: Achieve and maintain high-performance maturity on access control management by further improving IT system capabilities and the level of automation, and refining configurations and support processes, documentation and user training. Improve the detection and response to access control nonconformities and violations
Common constraints
- Capacity and cost: The level of effort and cost to implement an RBAC system, and maintain an up-to-date list of users and roles within large environments
- Capability: Lack of awareness, communication and coordination, often due to siloed internal organizational structures
- Competency: The ability to manage complex architecture and infrastructure environments and deal with legacy systems or third-party systems that cannot be integrated