Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
Unauthorized individuals may gain access to critical data or systems due to ineffective access control rules and definitions. To ensure critical
data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and
according to job responsibilities.
“Access” or “access rights” are created by rules that provide users access to systems, applications, and data, while “privileges” allow a user to
perform a specific action or function in relation to that system, application, or data. For example, a user may have access rights to specific data,
but whether they can only read that data, or can also change or delete the data is determined by the user’s assigned privileges.
“Need to know” refers to providing access to only the least amount of data needed to perform a job.
“Least privileges” refers to providing only the minimum level of privileges needed to perform a job.
These requirements apply to user accounts and access for employees, contractors, consultants, and internal and external vendors and other
third parties (for example, for providing support or maintenance services). Certain requirements also apply to application and system accounts
used by the entity (also called “service accounts”).
Go on to Requirement 8 - Access Control.
Go back to Requirement 6 - System Security.