2 minute read
3.7 Requirement 7: Restrict access to cardholder data by business need to know
• Ensuring that critical updates are applied within one month of release Organizations that create and develop their own software must ensure that the software is developed in accordance with industry standards and/or best practices. A Software Policy may be used to define how the organization achieves this. Within the policy it will state that all development is compliant with PCI DSS and considers information security in general throughout the softwaredevelopment life cycle. Custom code should also be reviewed prior to release to production to ensure the software is created using secure coding techniques. Strict change control processes must be in place and documented to ensure safe and secure transition of software from the test to the live environment. The change control process must include consideration of impact, testing, back out plans and approval of the change. Also, the change must highlight checks to the security of the system to ensure it remains secure and in line with PCI DSS requirements. Upon completion of the change all PCI DSS-required documentation must be updated where appropriate. Finally, it is required that all security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
Relevant Toolkit Documents
• Access Control Policy • User Access Management Process • Change Request Form • Information Security Policy Staff members should only have access to those systems and information assets necessary to perform their job responsibilities. Enforcing this rule ensures that staff cannot accidentally or maliciously compromise cardholder data. The principle of “need to know” dictates that only those access rights needed to perform a job role are granted. This requirement ensures effective authorization is actively being used within the organization. An Access Control Policy will need to be implemented which defines access needs for each role within the organization, along with access level, for example, user or administrator access. Justification will be needed per role access as it is a requirement to identify appropriately secure levels of access to specific system components. This limits access to cardholder data to only those individuals whose job requires it. Documented approval of access must be given by authorized parties, which specifies the required privileges and why the individual needs them. Finally, it is required that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.