Implement Strong Access Control Measures
Access control is one of the cornerstones of information security. It enables a business to permit or deny the ability to access primary account numbers or other cardholder data. This area requires that a business restricts access to cardholder data to those on a need-to-know basis. This can include everything from using locks or restricted access to paper-based cardholder data records or system hardware, controlling access to the wireless network, PCs and other devices and controlling access to any digital files that contain cardholder data.
Requirement #7: Restrict access to cardholder data by business need-to-know
This requirement enforces businesses to ensure that employees are only granted the access rights needed to the least amount of data they need to perform a job.
- Establish an access control system for each element of the cardholder data infrastructure
- Set all access rights by default to “deny all” unless an employee is specifically allowed access to selected cardholder data
Requirement 8: Assign a unique ID to each person with computer access
Assigning a unique ID to everyone will help aid in any forensic analysis of cardholder data access to help identify actions taken on critical data and systems.
- Assign each worker a unique user name before granting access rights to the cardholder data system
- Access to the system should only be granted by using a strong password or two-factor authentication
- Implement two-factor authentication for any remote access to the network
Requirement 9: Restrict physical access to cardholder data
This requirement enforces limiting and monitoring physical access to areas containing systems that store, process or transmit sensitive data. This includes hardcopies of data as well as physical access to cardholder data systems.
- Implement facility entry controls and limit and monitor physical access to systems that store, transmit and process sensitive data
- Destroy any media with cardholder data on it when you no longer need it
- Ensure that all paper and electronic media is physically secure
- Store backups of cardholder data in a secure location
- Use video cameras to monitor entry and exit points
- Use badges or other procedures to quickly identify employees
- Authorize all visitors before admitting them to areas where cardholder data is processed