Requirement 7: Restricting Access to System Components and Cardholder Data

Access control is the gatekeeper of the CDE. Even if an attacker bypasses the network perimeter, strong access controls can contain the damage — limiting which systems can be reached and which data can be read, modified, or exfiltrated. Requirement 7 establishes the principle of least privilege as the governing model for all access to CDE systems and cardholder data.

The Principle of Least Privilege

Access to system components and cardholder data must be limited to only those individuals whose job requires that access. This is the "need-to-know" principle: if a person's job function does not require access to cardholder data, they should not have it — regardless of their seniority or role.

KEY IDEA

Least privilege is not just about blocking external threats — it is about limiting the blast radius of any breach. An attacker who compromises a low-privilege account gains only what that account can access. An organization where every employee has broad CDE access amplifies every credential compromise into a potential full CDE breach.

Access Control Model — What PCI DSS Requires

PCI DSS v4.0 requires a formally documented access control model. Access must be assigned based on: the individual's job classification and function, the minimum access rights required to perform that function, and formal authorization from management.

Access Control Component	PCI DSS Requirement	Implementation Approach
Least privilege assignment	Access based on minimum necessary for job function	Role-based access control (RBAC) with documented role definitions
Access authorization	All access formally authorized before provisioning	Ticket-based provisioning with manager approval workflow
Access documentation	All user IDs and their access rights documented	User access register maintained and current
Access review	Periodic review of all user access rights	Quarterly access reviews for CDE systems — recertification by managers
Access revocation	Access removed when no longer required	HR-IT offboarding workflow, immediate revocation on termination

Privileged Access — The Highest Risk

Privileged access (admin, root, DBA) to CDE systems is the most dangerous access category. PCI DSS requires: privileged access is assigned only when required for a specific task, privileged accounts are not used for routine activities, all privileged access is logged and monitored, and administrative access is reviewed more frequently.

IMPORTANT

The most common access control failure in PCI DSS assessments is not missing access controls — it is access accumulation over time. Users who change roles retain their old access rights. Departed employees whose accounts were not properly deprovisioned. Developers who were given temporary production access during an incident and never had it removed. Regular access reviews (at least quarterly for CDE systems) are the mandatory antidote.

Third-Party and Vendor Access

Third-party vendor access to the CDE is subject to all Requirement 7 controls — and adds additional requirements for monitoring and authorization. All third-party access must be: limited to the systems they need to support, enabled only when needed and disabled when not in use, monitored during the session, and covered by a contractual agreement including PCI DSS security obligations.

Documentation Requirements for QSA Assessment

QSAs testing Requirement 7 will request: the access control model documentation, the list of all user accounts with access to CDE systems, evidence of the access review process (including records of reviews conducted), and evidence that access was removed promptly when personnel changed roles or departed.

For Indonesian organizations undergoing their first PCI DSS assessment, Requirement 7 compliance often requires more process redesign than technical implementation. The technical capability to restrict access is usually present — the gap is in the formalized authorization workflow, the documented role definitions, and the access review cadence. Prioritize building the access governance process, not just the technical controls.

The Principle of Least Privilege

Access Control Model — What PCI DSS Requires

Privileged Access — The Highest Risk

Third-Party and Vendor Access

Documentation Requirements for QSA Assessment

PCI DSS Foundations

What is PCI DSS and Why It Matters

The 12 PCI DSS Requirements: A Complete Overview

PCI DSS Scope: Understanding the Cardholder Data Environment

Merchant Levels and Service Provider Levels

PCI DSS v4.0 — What Changed and Why It Matters

PCI DSS vs ISO 27001 vs SOC 2 — Framework Comparison

PCI DSS Requirements In Depth

Requirements 1 & 2: Network Security and Secure Configurations

Requirement 3: Protecting Stored Account Data

Requirement 4: Protecting Cardholder Data in Transit

Requirements 5 & 6: Vulnerability Management

Requirement 7: Restricting Access to System Components and Cardholder Data

Requirement 8: Identifying Users and Authenticating Access

Requirement 9: Restricting Physical Access to Cardholder Data

Requirements 10 & 11: Logging, Monitoring, and Security Testing

Requirement 12: Supporting Information Security with Organizational Policies

PCI DSS Implementation Process

PCI DSS Implementation Roadmap

Scoping and Scope Reduction Strategies

Gap Assessment and Remediation Planning

Network Security Implementation for PCI DSS

Account Data Protection: Encryption and Tokenization

Access Control and Authentication Implementation

Logging, Monitoring, and Vulnerability Management

PCI DSS Validation and Assessment

Self-Assessment Questionnaire (SAQ) Types: Choosing the Right One

Engaging a Qualified Security Assessor (QSA)

The Report on Compliance (ROC)

Preparing for the QSA Assessment

The Attestation of Compliance (AoC)

Common QSA Findings and How to Prevent Them

Maintaining PCI DSS Compliance: The Annual Cycle

PCI DSS Technical Controls

Network Segmentation for PCI DSS

Encryption and Key Management

Multi-Factor Authentication: PCI DSS v4.0 Requirements

Web Application Security and WAF

Logging and Monitoring for PCI DSS

Vulnerability Scanning and Penetration Testing

Point of Interaction (POI) Device Security

PCI DSS In Context

PCI DSS for E-Commerce and Online Payments

PCI DSS for Fintech and Payment Service Providers

PCI DSS for Banks and Acquiring Organizations

PCI DSS and Cloud: AWS, GCP, and Azure

PCI DSS and Indonesian Regulations: BI, OJK, and UU PDP

Multi-Framework Compliance: PCI DSS + ISO 27001 + SOC 2

Building a Mature Payment Security Program Beyond Compliance