WithPCI Logo
WithPCI.com

7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:

  • Based on the least privileges necessary for the operability of the system or application.
  • Access is limited to the systems, applications, or processes that specifically require their use.

Customized Approach Objective

Access rights granted to application and system accounts are limited to only the access needed for the operability of that application or system.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

7.2.5.a Examine policies and procedures to verify they define processes to manage and assign application and system accounts and related access privileges in accordance with all elements specified in this requirement.

7.2.5.b Examine privileges associated with system and application accounts and interview responsible personnel to verify that application and system accounts and related access privileges are assigned and managed in accordance with all elements specified in this requirement.

Purpose

It is important to establish the appropriate access level for application or system accounts. If such accounts are compromised, malicious users will receive the same access level as that granted to the application or system. Therefore, it is important to ensure limited access is granted to system and application accounts on the same basis as to user accounts.

Good Practice

Entities may want to consider establishing a baseline when setting up these application and system accounts including the following as applicable to the organization:

  • Making sure that the account is not a member of a privileged group such as domain administrators, local administrators, or root.
  • Restricting which computers the account can be used on.
  • Restricting hours of use.
  • Removing any additional settings like VPN access and remote access.

Sub-requirements

purpose

Ensure timely revocation or modification of access when job roles change.

compliance strategies

  • HR-triggered access changes
  • Automated deprovisioning

typical policies

  • Access Revocation Policy
  • Change of Role Procedure

common pitfalls

  • Delayed revocation
  • Orphaned accounts

type

Process Control

difficulty

Moderate

key risks

  • Former employees retain access

recommendations

  • Integrate IAM with HRIS

Eligible SAQ

  • SAQ-A-EP
  • SAQ-C
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy