This is the seventh blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. For links to the previous posts in this series, use the links below:
PCI Requirement 7: Restrict access to cardholder data by business need to know
Requirement 7 kicks off the access control portion of your PCI Compliance program. There are some fundamentals that need to be kicked around before we dig into some of the challenges companies face. The 2 principles related to access controls that we are going to cover are:
- “Need to Know” – The employee has a legitimate need or reason to access something that is core to their job responsibilities. For example, Joe in the marketing department does not need to know the administrator password to the cardholder data environment (CDE).
- “Least Privilege” - Least privilege is a furthering of need to know. While the employee might need to have access to a specific application as it is core to their job responsibilities, the permissions within the application only provide access to what is essential for them to complete their job. For example, the sales group should have access to the Customer Relationship Management (CRM) software that the company uses. However, restricting the ability to see accounts that are not assigned to them is an example of least privilege.
Requirement 7 really pushes companies to make sure they are limiting the access to systems appropriately and the permissions within those systems. Ensuring your company’s IT department is granting access as needed and utilizing roles is an additional piece to be aware of in requirement 7. RBAC, or role-based access control, eases the burden on administrators and creates a clean trail of who can access certain information in your CDE.
Companies that require PCI Compliance face some specific challenges within requirement 7:
- Privilege Creeping - The challenge some face when going through their first pass of PCI is the clean up of the “privilege creep” that may have occurred over the past years. People have moved positions or required access at one time or another and not had the old privileges removed. This tends to take some work from IT and the business to clean up to ensure the principles of “need to know” and “least privilege” are implemented.
- Access Reviews – The challenge here is the implementation and documentation of access reviews. Access Reviews should be conducted at a minimum of annually and documented. Checking for who had access to what, and considering the need for that access, is critical to the review.
- Access Requests – The challenge here is creating an approval process for access requests. This can be accomplished in many ways but adds an additional task to personnel required to complete these approvals.
Compass is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with PCI.
These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!