Home / Frameworks / PCI DSS / 7 — Restrict Access to System Components and Cardholder Data by Business Need to Know
7 — Restrict Access to System Components and Cardholder Data by Business Need to Know
11 requirements in the Restrict Access to System Components and Cardholder Data by Business Need to Know requirement
7.1.1All security policies and operational procedures that are identified in Requirement 7 are: Documented, Kept up to date In use Known to all affected parties.
7.1.2Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.
7.2.1An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs.
7.2.2Access is assigned to users, including privileged users, based on: Job classification and function.
7.2.3Required privileges are approved by authorized personnel.
7.2.4All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months To ensure user accounts and access remain appropriate based on job function.
7.2.5All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application.
7.2.6All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.
7.3.1An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components.
7.3.2The access control system(s) is configured to enforce privileges assigned to individuals, applications, and systems based on job classification and function.
7.3.3The access control system(s) is set to “deny all” by default.