Ctrl + K

7.2.3 Required privileges are approved by authorized personnel.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

Access privileges cannot be granted to users without appropriate, documented authorization.

Defined Approach Testing Procedures

7.2.3.a Examine policies and procedures to verify they define processes for approval of all privileges by authorized personnel.

7.2.3.b Examine user IDs and assigned privileges, and compare with documented approvals to verify that:

Documented approval exists for the assigned privileges.
The approval was by authorized personnel.
Specified privileges match the roles assigned to the individual.

Purpose

Documented approval (for example, in writing or electronically) assures that those with access and privileges are known and authorized by management, and that their access is necessary for their job function.

purpose

Ensure access rights are assigned to individuals based on least privilege.

compliance strategies

Access reviews
Automated entitlement management

typical policies

Least Privilege Policy

common pitfalls

Excessive access
No periodic review

type

Process/Technical Control

difficulty

Moderate

key risks

Data leakage
Unauthorized changes

recommendations

Automate access review and recertification

Eligible SAQ

SAQ-A-EP
SAQ-C
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.

Link copied to clipboard!