PCI Compliance

Implement Strong Access Control Measures

Access control is one of the cornerstones of information security. It enables a business to permit or deny the ability to access primary account numbers or other cardholder data. This area requires that a business restricts access to cardholder data to those on a need-to-know basis. This can include everything from using locks or restricted access to paper-based cardholder data records or system hardware, controlling access to the wireless network, PCs and other devices and controlling access to any digital files that contain cardholder data.

Requirement #7: Restrict access to cardholder data by business need-to-know
This requirement enforces businesses to ensure that employees are only granted the access rights needed to the least amount of data they need to perform a job.

Establish an access control system for each element of the cardholder data infrastructure
Set all access rights by default to “deny all” unless an employee is specifically allowed access to selected cardholder data

Requirement 8: Assign a unique ID to each person with computer access
Assigning a unique ID to everyone will help aid in any forensic analysis of cardholder data access to help identify actions taken on critical data and systems.

Assign each worker a unique user name before granting access rights to the cardholder data system
Access to the system should only be granted by using a strong password or two-factor authentication
Implement two-factor authentication for any remote access to the network

Requirement 9: Restrict physical access to cardholder data
This requirement enforces limiting and monitoring physical access to areas containing systems that store, process or transmit sensitive data. This includes hardcopies of data as well as physical access to cardholder data systems.

Implement facility entry controls and limit and monitor physical access to systems that store, transmit and process sensitive data
Destroy any media with cardholder data on it when you no longer need it
Ensure that all paper and electronic media is physically secure
Store backups of cardholder data in a secure location
Use video cameras to monitor entry and exit points
Use badges or other procedures to quickly identify employees
Authorize all visitors before admitting them to areas where cardholder data is processed

Restaurant Data Security Home - Contact Us
PCI Compliance 101 Data Security Milestones What Can You Do Today? Life Cycle of a Data Security Breach Data Security e-Newsletter Additional Resources

< Back to PCI Compliance PCI Compliance Implement Strong Access Control Measures Access control is one of the cornerstones of information security. It enables a business to permit or deny the ability to access primary account numbers or other cardholder data. This area requires that a business restricts access to cardholder data to those on a need-to-know basis. This can include everything from using locks or restricted access to paper-based cardholder data records or system hardware, controlling access to the wireless network, PCs and other devices and controlling access to any digital files that contain cardholder data. Requirement #7: Restrict access to cardholder data by business need-to-know This requirement enforces businesses to ensure that employees are only granted the access rights needed to the least amount of data they need to perform a job. Establish an access control system for each element of the cardholder data infrastructure Set all access rights by default to “deny all” unless an employee is specifically allowed access to selected cardholder data Requirement 8: Assign a unique ID to each person with computer access Assigning a unique ID to everyone will help aid in any forensic analysis of cardholder data access to help identify actions taken on critical data and systems. Assign each worker a unique user name before granting access rights to the cardholder data system Access to the system should only be granted by using a strong password or two-factor authentication Implement two-factor authentication for any remote access to the network Requirement 9: Restrict physical access to cardholder data This requirement enforces limiting and monitoring physical access to areas containing systems that store, process or transmit sensitive data. This includes hardcopies of data as well as physical access to cardholder data systems. Implement facility entry controls and limit and monitor physical access to systems that store, transmit and process sensitive data Destroy any media with cardholder data on it when you no longer need it Ensure that all paper and electronic media is physically secure Store backups of cardholder data in a secure location Use video cameras to monitor entry and exit points Use badges or other procedures to quickly identify employees Authorize all visitors before admitting them to areas where cardholder data is processed

© 2011 Radiant Systems, Inc. All Rights Reserved.