See why you should restrict employee access to sensitive data.   

By: Matt Glade
Security Analyst
CISSP, QSA
Need-to-know is defined as the least amount of data required for an employee to be able to perform his/her job. PCI requirement 7 focuses on restricting access to cardholder data on a business “need-to-know” basis.

Typically, employees don’t share the same responsibilities. Your accountant has different responsibilities than your system administrator. If your accountant had the same system level privileges as your system administrator, you’ve potentially created a new attack vector within your organization. If the accountant’s system was compromised, hackers could use it as a pivot point, and leapfrog into other vulnerable systems within the network. This could eventually lead to a cardholder data breach. This is why Requirement 7 is crucial to security.

Here’s what you should know about PCI DSS Requirement 7 and restricting access to a “need-to-know” basis.

SEE ALSO: PCI Requirement 7: 5 Reasons You Should Limit Employee Access to Your Data

Why restrict access? 

Even though Requirement 7 is one of the smallest sections of the PCI DSS requirements, it’s one of the most vital.

The PCI DSS requires you to have an RBAC (Role-Based Access Control) solution. This allows you the ability to grant, suspend, and revoke access to all systems within your network, but most importantly, the systems within your cardholder data environment.
Having a well-designed RBAC solution limits access to individuals and groups on a need-to-know basis.

Not only does an RBAC solution allow system administrators the ability to create unique usernames and passwords for each individual within your organization, it also helps create a trail in tracking who, what, when, and where a system was accessed. Remember, shared or group usernames and passwords should never be used since they cannot be traced back to an individual if a breach were to occur.

Requirement 7 is fairly basic in nature, and when implemented properly, can provide system administrators the control and visibility they need to securely manage the network.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

Who needs access to your cardholder data?

Here’s a list of job roles that might require access to sensitive data:
  • Accountants
  • IT staff
  • Executives
  • Support staff
  • Call center agents
User access applies to anyone in need of access to your systems. The big question to ask yourself is, how much access does each individual employee need? This should be answered in the documentation and approval section of Requirement 7.

Document your list 

Restricting access on a need-to-know basis is only a portion of PCI DSS Requirement 7. All employees that are granted access to your network must be approved and documented by authorized personnel (see Requirement 7.1.4). For example, you should document the following:
  • Employee’s name
  • Employee’s username
  • RBAC Group or Role
  • Type of User
  • Managing Supervisor’s Signature
  • Manager’s Approval
This exercise of documentation and approval helps system administrators, supervisors, and managers track which users have access to what systems and the permissions they’ve been granted. As users move about the company (e.g., promotions, demotions, on-boarding, off-boarding) these documents need to be updated to reflect their new RBAC roles and permissions.

Additional tips 

Here are a few additional PCI DSS Requirement 7 compliance tips:
  • Periodically audit your RBAC solution (e.g., quarterly or semi-annually) for inactive users and either permanently disable or delete them
  • During your defined periodic RBAC system audit, look for users with superfluous permissions and revoke them
  • Set up unique usernames and passwords to make sure each employee has unique credentials
  • NEVER use group or shared usernames and passwords
  • Train employees on limited access policies. Keep your employees in-the-know by providing ongoing security awareness training
  • Work with a QSA to help you find areas you may need to focus on
  • Properly harden and configure your firewall to protect your RBAC system from compromise
Need help getting PCI compliant? Talk to us!

Matt Glade (CISSP, QSA) has worked in the IT sector for over 20 years. He currently performs security assessments for merchants and service providers looking to become PCI compliant. He also performs HIPAA Risk Analysis/Assessments and HIPAA Compliance Assessments. He has been a Security Assessor for SecurityMetrics for over 4 years, lending his extensive knowledge of the IT industry in performing assessments for clients who wish to achieve PCI or HIPAA compliance.