Category: PCI DSS Requirement 7
Restrict access to cardholder data by business need to know.
All systems within the Cardholder Data Environment should have sufficiently configured access control to ensure only authorized internal individuals have access to the environment, systems and sensitive cardholder data. All other access by non-authorized individuals must be denied. The access control must be granular and linked directly to established job role and responsibilities. The core information security concepts of “need to know” as well as “least privilege” are key here.
“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.