PCI DSS Requirement 7: Restrict Cardholder Data Access

Assigning permissions carefully is one means of protecting sensitive account data by providing the minimum level of access necessary to perform an employee’s job.

Requirement 7 details the means of securing data by keeping those who have access to “need-to-know” rights - which refers to only providing personnel the least amount of data needed to perform a job. 

For additional details on all 12 of the Requirements, read our PCI DSS Requirements overview.

Requirement 7 Details and Sections

Requirement 7 contains three sections that detail the means of securing account data by carefully assigning user permissions and access controls.

• Requirement 7.1: Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
• Requirement 7.2: Access to system components and data is appropriately defined and assigned.
• Requirement 7.3: Access to system components and data is managed via access control systems.

Requirement 7.1: Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.

Like other requirements found in PCI DSS 4.0, the first section of the requirement - 7.1 - explains the importance of creating and maintaining policies for adherence. These processes must be consistently monitored and updated whenever required, and all involved personnel must understand their responsibilities.

Detailed requirement sections include:

• Requirement 7.1.1: All security policies and operational procedures that are identified in Requirement 7 are documented, up-to-date, in use, and known to all impacted parties.
• Requirement 7.1.2: Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood. 

Requirement 7.2: Access to system components and data is appropriately defined and assigned.

Section 7.2 outlines, with some specificity, the proper means of administering access to those who need it. In most instances, the lowest level of access should be the default permission set, with administrator accounts being carefully guarded and assigned only when absolutely necessary. 

Detailed requirement sections include:

• Requirement 7.2.1: An access control model is defined and includes granting access as follows:
  • Appropriate access depending on the entity’s business and access needs.
  • Access to system components and data resources is based on users’ job classification and functions.
  • The least privileges required to perform a job function.
• Requirement 7.2.2: Access is assigned to users based on job classification and function, and the least privileges necessary to perform job responsibilities.
• Requirement 7.2.3: Required privileges are approved by authorized personnel.
• Requirement 7.2.4: All user accounts and related access privileges, including third-party/vendor accounts, are reviewed at least once every six months as follows:
  • To ensure user accounts and access are appropriate based on job function.
  • Any inappropriate access is addressed.
  • Management confirms this access level is appropriate. 
• Requirement 7.2.5: All system accounts and access privileges are assigned and managed as follows:
  • Based on the least privileges necessary for the operability of the system or application.
  • Access is limited to the systems, applications, or processes that specifically require their use.

• Requirement 7.2.6: All user access to query repositories of stored cardholder data is restricted as follows:
  • Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.
  • Only the responsible administrator(s) can directly access or query repositories of stored cardholder data. 

Requirement 7.3: Access to system components and data is managed via access control systems.

Access control systems can automate the process of restricting access and assigning privileges, and this reduces the chance of errors or improper access. Setting the default access to “deny all” can also ensure that nobody will receive access until explicitly granted.

Detailed requirement sections include:

• Requirement 7.3.1: Access control systems are in place that restrict access based on a user’s need to know and cover all system components. 
• Requirement 7.3.2: The access control systems enforce permissions assigned to individuals, applications, and systems based on job classification and function. 
• Requirement 7.3.3: The access control systems are set to “deny all” by default. 

How Basis Theory can help you Satisfy PCI DSS Requirement 7

Securing cardholder data in a CDE satisfies many PCI DSS requirements and provides companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.

As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.

*PCI DSS Requirement information contained in this post is for educational purposes only and references material from the guide "Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0" published by the PCI SSC in March 2022. Please refer to the PCI Security Standards Council website for the complete, up-to-date, accurate requirements.