Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know #

This requirement highlights the need for an access control mechanism for essential and sensitive data.

• 7.1 Limit access to system components and cardholder data should be given to only those whose job involves such access.
• 7.2 Access control system must be established for systems components to restrict access based on what users need to know.
• 7.3 Security policies and operational procedures for restricting access to cardholder data are well documented and known to all affected parties.

Requirement 8: Identify and authenticate access to system components #

Complementary to requirement 7, this requirement frames out the user control mechanism for accessing and using the cardholder’s information. This requirement lists out mechanisms to create and test features like assigning unique user ids, activity timing monitoring, password protection, and process of user access control.

• 8.1 Policies and procedures must be well defined and implemented to ensure proper user identification management.
• 8.2 Assign unique ID, and also ensure proper user-authentication management for non-consumer users.
• 8.3 All individual non-console administrative access and all remote access to the CDE that uses multi-factor authentication must be secured.
• 8.4 Authentication policies and procedures should be documented and communicated to all the users.
• 8.5 Group, shared, or generic IDs, passwords, or other authentication methods should not be used.
• 8.6 Authentication mechanisms must be assigned to an individual account only.
• 8.7 Access to any database that contains cardholder data must be restricted.
• 8.8 Security policies and operational procedures for identification and authentication are well documented and known to all affected parties.

Requirement 9: Restrict physical access to cardholder data #

• 9.1 Appropriate facility entry controls must be used to limit and monitor physical access to systems in the cardholder data environment.
• 9.2 Appropriate procedures should be developed to easily distinguish between onsite personnel and visitors.
• 9.3 Physical access for onsite personnel to sensitive areas must be controlled.
• 9.4 Set procedures must be implemented to identify and authorize visitors.
• 9.5 All media must be physically secured.
• 9.6 Strict control must be maintained over both internal or external distribution of media.
• 9.7 Strict control must be maintained over the storage and accessibility of media.
• 9.8 Media which are longer needed for business or legal works must be destroyed.
• 9.9 Devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution.
• 9.10 Security policies and operational procedures for restricting physical access to cardholder data are well documented and known to all affected parties.