Category: PCI DSS Requirement 7
Restrict access to cardholder data by business need to know.
All systems within the Cardholder Data Environment should have sufficiently configured access control to ensure only authorized internal individuals have access to the environment, systems and sensitive cardholder data. All other access by non-authorized individuals must be denied. The access control must be granular and linked directly to established job role and responsibilities. The core information security concepts of “need to know” as well as “least privilege” are key here.
“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.
Every day, companies like these use CallGuard to stop cardholder data being stored on call recordings or displayed to agents.
- Telford House, Corner Hall,Hemel Hempstead, Hertfordshire HP3 9HN