7.2 Access to system components and data is appropriately defined and assigned.

This requirement focuses on ensuring that access to system components and cardholder data is properly defined and assigned based on job classification, function, and the principle of least privilege.

Sub-requirements:

7.2.1 An access control model is defined and includes granting access as follows:
7.2.5.1 All access by application and system accounts and related access privileges are reviewed as follows:
7.2.2 Access is assigned to users, including privileged users, based on:
7.2.3 Required privileges are approved by authorized personnel.
7.2.4 All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows:
7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:
7.2.6 All user access to query repositories of stored cardholder data is restricted as follows:

7.2. Access to system components and cardholder data is appropriately defined and assigned.

Ensure access rights are based on job roles, business need to know, and are reviewed regularly for appropriateness.

https://WithPCI.com

Sub-requirements

Test Points

Low-Moderate (2.1)

Implementation Difficulty

Control Types

Technical

Process

Documentation

Technical: 2

Process: 7

Documentation: 1

Key Risks

Excessive or outdated access rights

Unapproved access changes

Unmanaged access reviews

Frequently Asked Questions

How should access rights be assigned?

Based on job classification, business need to know, and least privilege principles.

How often should access be reviewed?

At least once every six months, and after significant job or role changes.

What is the role of management in access assignment?

Management must approve access rights and review them regularly.

How are access changes documented?

Through access request forms, approval workflows, and review logs.

What happens if inappropriate access is discovered?

It is revoked immediately and investigated according to incident response procedures.

Common QSA Questions

Can you show evidence of access reviews and approvals?

Yes, we maintain logs of all access reviews, approvals, and changes.

How do you ensure least privilege is enforced?

We use role-based access controls and require business justification for all access rights.

How are access rights updated when job roles change?

Access is modified or revoked as part of the HR offboarding and role change processes.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.