PCI Requirement 7.1.2 – Restrict Access to Privileged User IDs to Least Privileges Necessary

Within your organization, you will obviously have personnel who require an elevated level of privilege. You need some personnel with more responsibility than others, but you do want to limit the ability for someone to impact the security of the cardholder data environment. PCI Requirement 7.1.2 requires you to limit access to privileged user IDs to personnel who truly require it for the function of their job. PCI Requirement 7.1.2 states, “Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.” The PCI DSS explains, “When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator.”
During the assessment, assessors will be looking for an accounting of why these roles or individuals have an elevated level of privilege. Assessors will also interview the personnel responsible for assigning access to determine if access to privileged user IDs is given only to those who specifically require such access and if access is restricted to least privileges necessary.
Stay Connected

More Free Resources

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.