PCI (Payment Card Industry Security Standard)
Restrict access to cardholder data by business need to know
Test 7.3
7.3 Examine documentation and interview personnel to verify that security policies and operational procedures for restricting access to cardholder data are: – documented – in use and – known to all affected parties.
Personnel need to be aware of and following security policies and operational procedures to ensure that access is controlled and based on need-to-know and least privilege on a continuous basis. Requirement 8: Identify and authenticate access to system components Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place actions taken on critical data and systems are performed by and can be traced to known and authorized users and processes. The effectiveness of a password is largely determined by the design and implementation of the authentication system-particularly how frequently password attempts can be made by an attacker and the security methods to protect user passwords at the point of entry during transmission and while in storage. Note: These requirements are applicable for all accounts including point-of-sale accounts with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example for support or maintenance). These requirements do not apply to accounts used by consumers (e.g. cardholders). However Requirements 8.1.1 8.2 8.5 8.2.3 through 8.2.5 and 8.1.6 through 8.1.8 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!