TABLE OF CONTENTS
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
Access-controls allow merchants to permit or deny the use oh physical or technical ways to access cardholder data. This is normally granted on a need-to-know basis.
Requirement 7: Restrict access to cardholder data by business need-to-know
Limited access based on need to know and the employee job responsibilities are essential to ensure critical data is protected
- What is involved in this requirement
- Limit access to systems and data to only individuals that would need the access.
- Establish an access control system(s) that restricts access to control access.
- Ensure all policies are documented
Requirement 8: Identify and authenticate access to system components
Ensuring that each person with access has a unique identification (ID) will ensure that actions taken on critical data and systems are performed by authorized trackable users.
- What is involved in this requirement
- Define and implement policies and procedures to ensure proper user id management for all users and administrators.
- Employ at least one of these to authenticate all users.
- Password or passphrase
- Token device or smart card
- Biometric
- Ensure all individual non-console administrative access and all remote access to cardholder data environment uses multi-factor authentication.
- This is ensuring access uses uses 2 of the previous three methods.
- Using the same method twice is not considered as multi factory.
- This is ensuring access uses uses 2 of the previous three methods.
- Develop, implement, and communicate authentication policies and procedures.
- Do not use group, shared, or generic IDs.
- Use of other authentication mechanisms must be assigned to the individual account.
- Physical security tokens
- Smart cards
- Certificates
- All access to any database containing cardholder data must be restricted.
- All access must be programmatic in method.
- Ensure all policies are documented.
Requirement 9: Restrict physical access to cardholder data
Any and all access to systems that house cardholder data will need to be restricted appropriately.
- What is involved in this requirement
- Use appropriate facility entry controls to limit and monitor physical access.
- Develop procedures to distinguish between onsite personnel and visitors
- Control physical access to sensitive areas.
- Access must be authorized based on job function.
- Ensure visitors are authorized before entering areas where card holder data is processed, maintained.
- Given a physical badge or other id that expires
- Use a visitor log to maintain a physical audit trail.
- Physically secure all media.
- Store back-ups in a secure location
- Offsite Preferred
- Store back-ups in a secure location
- Maintain strict control over distribution of any media
- Maintain strict control over storage and accessibility of media
- Destroy media that is no longer needed
- Protect devices that capture payment data via direct physical interaction with the card to avoid tampering and substitution.
- Periodic inspections of POS device surface for tampering
- Training personnel to be aware of suspicious activity.
- Ensure all policies are documented.
Additional Resources and Help!
Still have questions? Please contact us any time at support@ezsoftpos.com.
NOTE: If emailing, please include your business name in the subject line of the email
and provide your preferred contact information for the best response time.
Visit our help center Help Center for more guides and tutorials