Castleforce IT Security Team

Implement Strong Access Control Measures

Requirement 7 Restrict access to cardholder data by business need to know

To ensure critical data can only be accessed by authorised personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.

“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.


7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:

  • 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
  • 7.1.2 Assignment of privileges is based on individual personnel’s job classification and function
  • 7.1.3 Requirement for an authorization form signed by management that specifies required privileges
  • 7.1.4 Implementation of an automated access control system

7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need- to- know, and is set to “deny all” unless specifically allowed.  This access control system must include the following:

  • 7.2.1 Coverage of all system components
  • 7.2.2 Assignment of privileges to individuals based on job classification and function
  • 7.2.3 Default “deny-all” setting

Implement Strong Access Control Measures

Bit9 provides application whitelisting, real-time configuration audit, and change control

7.1 Limit access to computing resources and cardholder information only to those individuals whose jobs require such access.

Portable storage devices can be an easy source of data leakage and loss. Bit9 can set controls on the ability to read/write/execute software on portable storage devices, preventing information leakage and accidental loss of sensitive, confidential information.

7.2 Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.

When a user logs into a system, the user will be restricted to run only the applications that have been pre-approved. All other applications will be restricted from use based on the user’s policy and need to know.

For more details on Bit9 

Protect Card Holder Data

nuBridges protect data at rest & in transit nuBridges Protect is designed to make it easier for IT to make your operations PCI DSS compliant. Here are just a few examples:

  • No database or file layout changes required — encrypt a 16-digit credit card number without changing your pre-defined file layout, your application screens, your reports
  • No database downtime during encryption, encryption processes run in the background, allows high availability systems to remain active

Supports two data protection methods:

  1. Distributed encryption with centralized key management that does not require a persistent connection between the hub and the spokes – the optimum in performance and availability;
  2. Format Preserving Tokenization™ with central data vault

Contact Castleforce for help with PCI DSS

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Network Access Control Partners

NAC and IPS by ForeScout Technologies ForeScout’s clientless network access control (NAC) solutions enable customers to gain complete control over network security without disrupting end-user productivity. ForeScout’s CounterACT combines NAC and signature-less intrusion prevention in a single network appliance that interrogates and controls access of every device and seamlessly integrates with any existing IT infrastructure. ForeScout’s NAC is completely transparent and enables enterprises to tailor enforcement to match the level of policy violations, eliminating disruptions during device interrogation.

Single Sign On Partners

Evidian Identity and Access Management Evidian Identity and Access Management with dynamic access control and SSO.  Evidian software helps you to deploy a global security policy and service level management capability, through identity and access management and service level management software suites