The Merchant Processing Guru Tip# 36: The 12 requirements of PCI Compliance – Requirement #7
“Restrict access to cardholder data by business need to know”. So not only should you keep your clients cardholder data secure from outside prying eyes but also you must limit the access to that data to those employees only who actually need access to it to perform their job responsibilities. This includes assigning individual access rights & privileges to those individuals with access to your networks or other locations you store cardholder data.
This requirement also requires that you document written approval by an authorized party and of course that you actually implement an access control system whether it be with login & password, lock and key, whatever serves the purpose.
An access control system with multiple users on a network should include the following:
A default “deny-all” function so when adding a new user you must specifically grant them access,
the ability to assign privileges based on job classification & job functions for example; do not give the cook the same access privileges as a server or a nurse the same access privileges as the billing clerk.
This access control should cover your entire system and it’s components.
Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)