7.3.2 The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.
Defined Approach Requirements
7.3.2 The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.
Customized Approach Objective
Individual account access rights and privileges to systems, applications, and data are only inherited from group membership.
Defined Approach Testing Procedures
7.3.2 Examine vendor documentation and system settings to verify that the access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.
Purpose
Restricting privileged access with an access control system reduces the opportunity for errors in the assignment of permissions to individuals, applications, and systems.
purpose
Ensure access to system components and cardholder data is based on business need to know.
compliance strategies
- Access provisioning based on business justification
- Periodic access reviews
typical policies
- Business Need Access Policy
common pitfalls
- Access granted without justification
type
Process Control
difficulty
Moderate
key risks
- Data exposure
recommendations
- Require business justification for all access requests
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy