In our earlier blog Understanding PCI DSS Compliance and the benefits of using a Sensitive Data Discovery tool to aid compliance we delved into the fundamentals of PCI DSS compliance, its scope, who it applies to and the diverse set of requirements. We also discussed the invaluable role of Sensitive Data Discovery Tools like SecurEnvoy’s Data Discovery solution in achieving compliance.
In this installment, we will take a deeper dive into PCI Requirements, particularly requirement 7 and look at how Access Management Solutions can play a pivotal role in addressing the compliance criterion.
What are the 12 requirements of PCI DSS?
There are 12 requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS). These requirements are designed to enhance the security of payment card data and are applicable to organisations that handle credit card transactions, including merchants and service providers:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
What is PCI Requirement 7?
PCI Requirement 7 is to ’restrict access to cardholder data by business need to know’. Requirement 7 specifically focuses on access control measures within an organisation’s network and systems and is divided into several sub-requirements and guidelines that organisations must adhere to in order to achieve PCI DSS compliance. It primarily revolves around the concept of restricting access to cardholder data and ensuring that access is granted on a need-to-know basis.
Here are the key elements of PCI Requirement 7:
- Limit Access to Need-to-Know: Organisations must ensure that access to cardholder data is restricted only to individuals who require it for their job responsibilities. Unnecessary access should be prevented.
- Authentication and Authorisation: Strong authentication and authorisation controls must be implemented to verify the identity of users and grant them access only to the resources and data necessary to perform their job functions.
- Unique User IDs: Each user who accesses cardholder data should have a unique user ID or account, enabling accountability for actions taken within the system.
- Multi-Factor Authentication (MFA): For remote network access and for administrators accessing systems handling cardholder data, MFA should be used to add an extra layer of security beyond just a password.
- Physical Access Control: Physical access to systems that store cardholder data should be restricted, and only authorised personnel should be allowed in areas where such data is stored.
- Access Control Systems and Passwords: Implementing strong access control systems, including password policies such as password complexity and rotation, to prevent unauthorised access.
- Restricted Access to Security Parameters: Access to security parameters, cryptographic keys, and other sensitive data should be restricted and monitored.
- Session Locking: Implement session locking after a period of inactivity to prevent unauthorised access to open sessions.
- Unique Authentication Credentials: Implement individual authentication credentials for each user accessing systems, even for shared accounts.
- Third-Party Access: If third-party vendors or service providers require access to cardholder data, their access should be properly managed, controlled, and monitored.
How can Access Management solutions ensure PCI compliance?
Access Management Solutions play a critical role in meeting the requirements of PCI Compliance, specifically Requirement 7, which focuses on limiting access to sensitive data and resources. This requirement mandates the implementation of strict access control measures to protect cardholder data.
The use of Multi-Factor Authentication (MFA) aligns with Requirement 7.1, which emphasises the need for secure access to the network by utilising strong authentication methods. By requiring multiple forms of verification, MFA enhances user authentication, ensuring that only authorised individuals can access sensitive data.
When evaluating Access Management solutions, it’s crucial to choose a technology with a wide range of multi-factor authentication options that aligns with your business’s diverse needs. Assess your user community by considering the devices they use, whether they’re personal devices, company-issued machines or shared terminals. It’s also vital to consider user location and their IT capabilities when determining the right authentication method. As your needs evolve, avoid solutions that restrict your MFA choices solely to smartphone OTP apps. SecurEnvoy Access Management provides a comprehensive range of authentication methods, including SMS, soft token OTP apps for both mobile and desktop, and hardware tokens.
Furthermore, Requirement 7.2 necessitates the establishment of access restrictions based on job necessity. Access Management Solutions excel in precisely this area by provisioning access according to a user’s role within the organisation, as per their defined group assignments. For instance, when dealing with financial data, Access Management Solutions ensures that only personnel in roles like finance administration, as per the defined groups, can access such information, adhering to the principles of least privilege access outlined in Requirement 7.2.
In conclusion, by addressing user authentication through Multi-factor Authentication and fine-grained authorisation based on roles and group assignments, Access Management Solutions directly contribute to achieving and maintaining PCI Compliance, particularly in relation to Requirement 7 and its emphasis on robust access control measures.