Access Control [Req 7-9]
Rule: Restrict access to cardholder data by business need, identify and authenticate all users, and restrict physical access to cardholder data.
Requirement 7: Restrict Access by Need to Know
7.2 — Access Appropriately Defined
| Control | Requirement |
|---|
| Access control policy | Covers all system components |
| Role-based | Based on job classification and function |
| Least privilege | Minimum access needed for job |
| Default deny | Unless specifically allowed |
7.3 — Access Control Systems
| Control | Requirement |
|---|
| Access control system | Restricts access based on need to know |
| Unique IDs | Assigned before granting access |
| Authorization | Documented approval required |
Requirement 8: Identify and Authenticate
8.2 — User Management
| Control | Requirement |
|---|
| Unique IDs | Each user has unique ID |
| No shared accounts | Exception only for documented business need |
| Lifecycle management | Add, modify, delete procedures |
| Terminated users | Immediately revoke access |
8.3 — Strong Authentication
| Control | Requirement |
|---|
| Password complexity | 12+ characters (or 8+ with MFA) |
| Password history | Last 4 passwords cannot be reused |
| Lockout | After 10 invalid attempts |
| Idle timeout | 15 minutes maximum |
| First-use/reset | Unique, change on first use |
8.4 — MFA for CDE Access (Critical)
Multi-factor authentication required for:
- All access into the CDE
- All remote network access
- All administrative access
MFA factors (2 of 3):
- Something you know (password, PIN)
- Something you have (token, smart card)
- Something you are (biometric)
8.5 — MFA Configuration
| Control | Requirement |
|---|
| Independence | Factors independent of each other |
| Replay protection | Authentication data cannot be reused |
| Cannot be bypassed | Unless documented exception |
8.6 — Application/System Accounts
| Control | Requirement |
|---|
| Unique identification | Each application account identified |
| Interactive login | Prohibited unless exception |
| Hardcoded credentials | Prohibited in scripts/code |
| Password management | Secure storage, rotation |
Requirement 9: Physical Security
9.2 — Physical Access Controls
| Control | Requirement |
|---|
| Entry controls | Badge readers, locks, etc. |
| Access logs | Record all physical access |
| Visitor procedures | Authorization, escort, badge |
| Secure areas | Data centers, sensitive areas protected |
9.3 — Access Authorization
| Control | Requirement |
|---|
| Authorized list | Maintain list of authorized personnel |
| Review | At least quarterly |
| Visitor management | Identify, authorize, log, escort |
| Visitor badges | Visibly different from employee badges |
| Control | Requirement |
|---|
| Classification | Media with cardholder data classified |
| Secure storage | Locked facility or container |
| Distribution | Authorized and tracked |
| Destruction | Render unrecoverable (cross-cut shred, degauss) |
9.5 — POI Device Protection
| Control | Requirement |
|---|
| Device list | Maintain inventory |
| Periodic inspection | Examine for tampering |
| Training | Staff aware of tampering risks |
| Third-party devices | Verify before connecting |
Citation
PCI DSS v4.0.1 Requirements 7-9