Requirement 7 Restrict access to cardholder data by business need to know

PCI DSS

Implement Strong Access Control Measures

Requirement 7 Restrict access to cardholder data by business need to know

To ensure critical data can only be accessed by authorised personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.

“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:

7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
7.1.3 Requirement for an authorization form signed by management that specifies required privileges
7.1.4 Implementation of an automated access control system

7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need- to- know, and is set to “deny all” unless specifically allowed. This access control system must include the following:

7.2.1 Coverage of all system components
7.2.2 Assignment of privileges to individuals based on job classification and function
7.2.3 Default “deny-all” setting

Implement Strong Access Control Measures

7.1 Limit access to computing resources and cardholder information only to those individuals whose jobs require such access.

Portable storage devices can be an easy source of data leakage and loss. Bit9 can set controls on the ability to read/write/execute software on portable storage devices, preventing information leakage and accidental loss of sensitive, confidential information.

7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.

When a user logs into a system, the user will be restricted to run only the applications that have been pre-approved. All other applications will be restricted from use based on the user’s policy and need to know.

For more details on Bit9

Protect Card Holder Data

nuBridges Protect is designed to make it easier for IT to make your operations PCI DSS compliant. Here are just a few examples:

No database or file layout changes required — encrypt a 16-digit credit card number without changing your pre-defined file layout, your application screens, your reports
No database downtime during encryption, encryption processes run in the background, allows high availability systems to remain active

Supports two data protection methods:

Distributed encryption with centralized key management that does not require a persistent connection between the hub and the spokes – the optimum in performance and availability;
Format Preserving Tokenization™ with central data vault

Network Access Control Partners

ForeScout’s clientless network access control (NAC) solutions enable customers to gain complete control over network security without disrupting end-user productivity. ForeScout’s CounterACT combines NAC and signature-less intrusion prevention in a single network appliance that interrogates and controls access of every device and seamlessly integrates with any existing IT infrastructure. ForeScout’s NAC is completely transparent and enables enterprises to tailor enforcement to match the level of policy violations, eliminating disruptions during device interrogation.

Single Sign On Partners

Evidian Identity and Access Management with dynamic access control and SSO. Evidian software helps you to deploy a global security policy and service level management capability, through identity and access management and service level management software suites