PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum  

Go Back   PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum > Payment Card Industry Data Security Standard Frequently Asked Questions (PCI DSS FAQ) > Implement Strong Access Control Measures > [PCI-DSS] Requirement 7: Restrict access to cardholder data by business need-to-know
Reload this Page 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user's need to know, and is set to deny-all unless specifically allowed.
Register FAQ Calendar Search Today's Posts Mark Forums Read

[PCI-DSS] Requirement 7: Restrict access to cardholder data by business need-to-know This requirement ensures critical data can only be accessed by authorized personnel.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 03-18-2007, 03:10 AM
admin's Avatar
admin admin is offline
Administrator
  
Join Date: Jul 2002
Posts: 229
Default 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user's need to know, and is set to deny-all unless specifically allowed.
7.2 Establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.
This access control system must include the following:
  • 7.2.1 Coverage of all system components
  • 7.2.2 Assignment of privileges to individuals based on job classification and function
  • 7.2.3 Default "deny-all" setting
Examine system settings and vendor documentation to verify that an access control system is implemented as follows:
  • 7.2.1 Confirm that access control systems are in place on all system components.
  • 7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
  • 7.2.3 Confirm that the access control systems has a default "deny-all" setting.
Note: Some access control systems are set by default to "allow-all", thereby permitting access unless/until a rule is written to specifically deny it.
Reply With Quote
Reply

Bookmarks
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[PCI-DSS] 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). admin [PCI-DSS] Requirement 5: Use and regularly update anti-virus software 7 08-10-2010 08:40 AM
[PCI-DSS] 1.3.5 Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ. admin [PCI-DSS] Requirement 1: Install and maintain a firewall configuration to protect cardholder data 9 05-13-2010 10:58 AM
11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. admin [PCI-DSS] Requirement 11: Regularly test security systems and processes. 0 03-18-2007 03:35 AM
10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. admin [PCI-DSS] Requirement 10: Track and monitor all access to network resources and cardholder data 0 03-18-2007 03:25 AM
8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users admin [PCI-DSS] Requirement 8: Assign a unique ID to each person with computer access 0 03-18-2007 03:17 AM


All times are GMT -4. The time now is 07:40 AM.

Contact Us - PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum - Archive - Top

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest ©1997 - 2010 by PCIDSSFAQ.ORG, except where noted otherwise.
Powered by vBulletin, Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
PCI-DSS Forum  |  PA-DSS Forum