PCI DSS Requirements 7, 8, and 9 - Access Control

The PCI DSS (Payment Card Industry Data Security Standard) is a list of mandates that all merchants who store, process, or transmit sensitive credit card data are required to adhere to. In total, there are 12 requirements that can be further divided into more than 200 individual security controls. To say the least, PCI compliance is not a simple thing to accomplish.

Of course, the complexity of the process does not imply that you can just procrastinate PCI DSS compliance. In fact, it is the complexity that is required to meet the necessary levels of security in our modern business age. The best idea, then, is to divide the requirements up into more manageable portions and accomplish the ones you can. You can build on that foundation as you go.

Requirements 7, 8, and 9 of the PCI DSS are based on creating and implementing strong access control measures on your system and around sensitive credit card information.

The seventh requirement states that you must restrict access to cardholder data by business need-to-know. This is one of the more straightforward requirements of the PCI DSS and simply means that only authorized personnel should have any access to critical data.

More specifically, computer resources and card holder information should only ever be accessed by people who need access due to their job. The more people who can access the data, the more likely the wrong person will get access. And this doesn't even have to refer to those with unscrupulous intentions. The wrong person could simply mean that someone misplaced the data or left the system open for the information to be accidentally stumbled upon.

Requirement number eight mandates that you assign a unique ID to each person with computer access to sensitive data. This requirement is a little more resource intensive than the last because it requires a little more proactive action. It is necessary, though, because it can help you make sure that actions taken on critical data and systems really are performed by the right, authorized people.

IDs start by making sure that each user has a unique identifier. In addition to that ID, though, you must also include another authentication method such as a password, token devices, or biometrics. The passwords that you use also require special attention. In other words, don't leave them lying around, and if you store or transmit them electronically, then you must make sure they are encrypted.

But it doesn't end there. The addition, deletion, and modification of user IDs and other authenticators must be strictly controlled. Identity must be verified before you reset or change a password for a user, and you should immediately revoke access from any terminated users. Along those lines, you are also required to remove user accounts that have been inactive for at least 90 days.

The ninth requirement goes the next step and says that you must also restrict physical access to cardholder data. This requirement stems from the fact that not all thefts are electronic. A thief could just as easily walk out with hard copies or remove an entire system and still cause as much harm as your average hacker.

In other terms, you must have controls to limit and monitor access to systems that store, process, and transmit cardholder data. All of your personnel must also be able to distinguish employees from visitors so that everyone knows who should be in sensitive areas and who shouldn't. All visitors, then, should be given authorization of some sort upon their visit, and it should be revoked or destroyed when they leave.

Finally, you should always remember to destroy any media that may have sensitive information on it after it has severed its purpose. Shred hard copies, purge computer systems, and do whatever else is necessary to make sure it doesn't fall into the wrong hands due to simple neglect.

The PCI DSS is an ever-changing standard due to the constantly changing business environment and criminal evolution. Future success depends on being able to keep up, and keeping up has to start somewhere. By breaking the standard up into manageable chunks, PCI compliance can be withing your reach.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the PCI DSS or reaching PCI compliance, visit Braintree Payment Solutions today.