Access control and account management allow organizations to deny or allow the use of physical or electronic means to reach PAN and cardholder data. Access may only be granted on a verified, need-to-know basis. Standard physical access control measures include hardware, file cabinet and server room door locks. Here are the PCI-DSS’ requirements for access control.
Requirement 1 – Restrict Access to Cardholder Data
Systems and processes must be in place to limit access to critical data. Access is granted based on need-to-know, specific job duties and authorized personnel status. Rights should be limited to the least amount of data and the highest security privileges needed to perform a task. PCI-DSS requires organizations to establish an access control system that automatically denies all access unless specifically allowed. There should be logical access controls for computers, wireless networks and PIN entry devices.
Requirement 2 – Assign Unique IDs
Assigning individual IDs to each personnel ensures that all actions involving critical data and systems will be monitored and traceable. These requirements apply to sales, customer and administrative accounts with access to stored cardholder data. Management must use at least one of these common methods to authenticate all users: something known, such as a password or passphrase, and something possessed, such as a smart card or token device. Extremely sensitive accounts may use biometric security controls with the two common methods.
Requirement 3 – Restrict Physical Access
Anyone who can gain physical access to cardholder data or systems can remove devices and copy information. Companies must use appropriate facility entry controls to limit, monitor and document physical access to cardholder systems and data environments. There should be formal procedures to easily distinguish between regular personnel and temporary visitors. A visitor policy may designate on-site personnel, such as employees and contractors, who are expected to be physically present and visitors, such as vendors and guests, who may only enter the facility for short, supervised durations.
Later on we will cover network testing, security audits and security policies. Organizations who leverage our training solutions will see better employee performance, policy compliance and risk management. Contact us today for more information.