Typically when you consider securing your sensitive business data, the prime thing that comes into your mind is a hacker in action. All that comes into your mind is to be prepared to encounter a security breach or a sophisticated attack or something alike. However the reality is that the biggest threat to the organization are its own employees being ignorant..
Hackers attempt sophisticated methods and techniques to compromise the corporate network. Threat vector for hackers are the employees of the organizations with no proper data security policies enforced.
Not all the employees of an organization have the same roles and responsibilities. There are different teams serving different roles and taking different responsibilities. The role of an accountant differs from the role of an IT administrator and so if the accountant has the same system privileges as that of the admin, an attack vector is possibly generated for the hackers to attempt a security breach. Hence PCI Compliance comes to a role play to address the issue. Considering the same, PCI compliance requirement 7: Restrict access becomes a necessity to secure sensitive business data.
Know why to Restrict Access?
PCI DSS has different sections and PCI Requirement 7 is the most vital, as it deals with restricting user access.
As per the PCI Requirement 7, the organization is compliant to PCI DSS standards only when it enforces a Role-Based Access Control (RBAC) policy to its rule book. This empowers the IT admin in charge to manage, provide, revoke and suspend access to all the system in correspondence to the employees work responsibility within the organization’s network.
The RBAC entitles the system administrators to generate Unique login credentials – usernames and passwords for each employee of an organization.
It also equips the admin to track as to how, when and who has accessed the system.
- Usernames and passwords should never be used in groups or it should not be marked to remember as it does not help to trace the changes made by the users during the time of massive data breaches The RBAC entitles the system administrators to generate Unique login credentials – usernames and passwords for each employee of an organization.
- It also equips the admin to track as to how, when and who has accessed the system.
- Usernames and passwords should never be used in groups or it should not be marked to remember as it does not help to trace the changes made by the users during the time of massive data breaches
Who can access your cardholder data?
The employees with the following job roles can have access to the card holder data:
- IT Staff
- Support Staff
- Customer Support Agents
Document your list
The details of the employees who are granted access to the organization network must be documented with the following details in the list:
- Name of the Employee
- RBAC Role
- User Type
- Supervisor’s Signature
This documented list would be an aide for IT admins, approval managers and supervisors to track and comprehend as to who can access which system.
Tips on how to be compliant as per PCI DSS Requirement 7
1. Perform RBAC solution audit on a regular basis.
2. Disable access for inactive users.
3. Generate unique username and passwords
4. Educate employees to comprehend restricted access policies
5. Configure Security suite to secure RBAC system from the hackers’ reach