PCI DSS Requirement 7


PCI DSS Requirement 7: Restrict access to cardholder data by business need to know 

 
Requirements Addressed

7.1.2 Assignment of privileges is based on individual personnel’s job classification and function.

7.1.4 Implementation of an automated access control system.
7.2.2 Assignment of privileges to individuals based on job classification and function.

7.2.1 Confirm that access control systems are in place on all system components.



Solution Features



> Access Control and User IDs
 
> Privileged User Rights
Restriction of access rights to privileged user IDs to least privileges.
 
> Privileged Users

- Protect data from powerful Linux users

- Only the authorised database accounts with assigned database rights connecting from applications on approved network clients can access cardholder data stored on a server.

- Prevent operating system users without authorised access to keys, so they can not read encrypted data.

- Granular assignment of roles and separation of duties between network administrators and security administrators. For example, several levels of security administrators can be defined, each with only specific access to the system and permissions to perform only the allowed, pre-defined tasks.

- Granular role based access control and authorisation for tasks that are fully automated and applied automatically when a user logs in.

- Pre-defined and customer security office roles that can be applied. For example, roles could include helpdesk officer, audit officer, master security officer. 
> WAF (web application firewall)

- Data Access Policies

Where data is accessed using a web-based application, data access policies can be applied to ensure that access control criteria are met.

- Restrict access to particular web applications to users from trusted networks, with valid access credential (including client certificates).

Used to augment or reinforce the access controls built into the applications itself.

- Set controls on the ability to read/write/execute software on portable storage devices, preventing information leakage and accidental loss of sensitive, confidential information.

- Enforce policy so that users can only run pre-approved applications. All other applications are restricted from use, based on policy and the user’s need to know.







Contact us today to discuss your requirements in more detail.

P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk