| ๐ผ 7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood. | 2 | | | |
| ย ย ย ย ๐ผ 7.1.1 All security policies and operational procedures identified in Requirement 7 are documented, kept up to date, in use, and known to all affected parties. | | | | |
| ย ย ย ย ๐ผ 7.1.2 Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood. | | | | |
| ๐ผ 7.2 Access to system components and data is appropriately defined and assigned. | 6 | | | |
| ย ย ย ย ๐ผ 7.2.1 An access control model is defined and includes granting appropriate access. | | | | |
| ย ย ย ย ๐ผ 7.2.2 Access is assigned to users, including privileged users, based on job classification, function, and least privileges. | | | | |
| ย ย ย ย ๐ผ 7.2.3 Required privileges are approved by authorized personnel. | | | | |
| ย ย ย ย ๐ผ 7.2.4 All user accounts and related access privileges, including third-party/vendor accounts, are reviewed. | | | | |
| ย ย ย ย ๐ผ 7.2.5 All application and system accounts and related access privileges are assigned and managed. | 1 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 7.2.5.1 All access by application and system accounts and related access privileges are reviewed. | | | | |
| ย ย ย ย ๐ผ 7.2.6 All user access to query repositories of stored cardholder data is restricted. | | | | |
| ๐ผ 7.3 Access to system components and data is managed via an access control system(s). | 3 | | | |
| ย ย ย ย ๐ผ 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components. | | | 5 | |
| ย ย ย ย ๐ผ 7.3.2 The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. | | | | |
| ย ย ย ย ๐ผ 7.3.3 The access control system(s) is set to โdeny allโ by default. | | | | |