Part 7: Road Map to PCI

Well we are halfway done looking at each of the 12 requirements within the PCI Data Security Standards, let’s dive right in and take a look at the first requirement for Implementing Strong Access Control Measures.

Access Matters!

Let’s take a brief moment before we dive in to this requirement to understand why it is important to Implement Strong Access Control Measures. Last fall the retail industry hit a rough patch in regards to protecting card data, there were high-profile data breaches at many retailers such as Target, Neimann-Marcus, and Michaels that led to the theft of card numbers and in some cases encrypted PIN data. Investigations into each attack continue however one thing has become clear throughout, these attacks are often carried out by hackers compromising access controls to systems and computers.

Visa and Discover have recently issued security warnings to all merchants accepting card data that this is a trend among breaches over the last year, you can read the Visa bulletin here.

Restrict Access to Cardholder Data by Business Need-to-Know

Requirement 7 of the PCI Data Security Standards is the first step to Implement Strong Access Controls, and states that you must Restrict Access to Cardholder Data by Business Need-to-Know. If your organization does not  store process or transmit card data in any systems then you are most likely in a set of security standards where this requirement does not apply. Take special note though that entering transactions on behalf of your cardholders is transmission from your location and these requirements would apply.

What it Means

This boils down to making sure that access to your systems is only provided to those who absolutely need it based on their job classification and function, this is often referred to as Role Based Access Control. An example I often use here is that you wouldn’t give the janitor access to your payment system because there is no reason they would ever need that ability to perform their duties.

It is also required that individuals who have access to your payments environment are limited to the least privileges necessary to perform their responsibilities. An example here may be that the bookkeeper at your organization needs access to reporting and nothing more. In this case you would want to give them access to just that piece while making sure that they do not have access to other areas such as a virtual terminal or any stored data.

Document the process

Documentation is an incredibly valuable and often times required step for ensuring compliance with the PCI DSS. At times documenting processes or procedures can be time consuming, luckily documenting user privileges for systems that touch your card data environment is a fairly simple process.

First grab a sheet of paper or fire up Excel and list all of the employees that you have who you know should have access to systems that are part of your card data environment, list exactly which systems and privileges they should have and enable only those for their credentials. Anyone in your organization that is not on the list should be denied access to these systems, be sure you review this list on at least an annual basis as well as case by case scenarios.

Moving Forward

Overall the requirement to Restrict Access to Cardholder Data by Business Need-to-Know is not too difficult to meet; with a well thought out plan and a relatively short amount of time you can map out who needs access to what and ensure that only those employees are able to interact with those systems in your payment environment.

Next month we will take a look at the second requirement that must be met in order to Implement Strong Access Control Measures, be sure to subscribe to our blog below to be notified when we break down that requirement next month.

If you have any questions about PCI that you would like to see covered, let us know! You can email us at to share your thoughts or questions which we may then address here on our blog!