How to Comply with PCI DSS Compliance Requirement 7

8 months ago
Written by

Payment Card Industry Data Security Standard (PCI DSS) PCI DSS is a compliance framework that protects payment card data and promotes a culture of robust security practices within organizations that handle sensitive financial information.

For those organizations, PCI compliance means avoiding fines from credit card companies and maintaining their customer’s trust through safeguarding cardholder data from unauthorized access.

There are 12 requirements within the PCI DSS, including network security, data protection, access control, monitoring, and other areas that safeguard payment card data.

Each requirement comprises multiple sub-requirements that detail specific actions and security controls necessary for compliance.

PCI DSS Requirement 7 – Least Privilege Access Control

PCI DSS Requirement 7 focuses on restricting access to cardholder data by implementing a "need-to-know" or “principle of least privilege” basis within an organization. PCI DSS Requirement 7 mandates that you grant least privilege access to:

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Card Verification Value (CVV/CVC) code
  • Cardholder Billing Address
  • Phone Number

To comply with Requirement 7, organizations are required to:

  • Set-up Role-Based Access Control (RBAC)
    • Define access rights based on job responsibilities
  • Implement Least Privilege
    • Grant access to cardholder data only to those who require it for their specific job functions
  • Continuously Monitor
    • Log access to cardholder data and review regularly

This requirement aims to minimize the risk of unauthorized access to sensitive payment card data by limiting access to only individuals who genuinely need it to perform their job duties.

Build or Buy Considerations

When implementing least privilege access control, teams often trip up because good security often comes at the expense of usability.

But it doesn’t have to.

User-friendly access control workflows make people less likely to try to get around them. Here's what that typically looks like:

  • Self-serve access requests
    • Minimize steps for requesting and approving access
    • Enable requesting and approving from tools they’re already using
  • Automating policy enforcement
    • Automatically route requests to the correct approvers
    • Encode your policies like max duration of access, number of approvals, etc
  • Reducing manual admin tasks
    • Trigger provisioning automatically upon approval
    • Automatically revoke access after set duration
    • Log all access related events with full metadata to make auditing easier

Companies like Addepar and Robinhood chose to build their own least privilege access control system. To learn more about the building process, check out this great talk by Karthik Rangarajan, who helped both companies create their systems.

Not every team has the desire and resources to build and maintain a least privilege access control system, and for them, buying a solution to help them with compliance makes a lot of sense.

There’s a lot that goes into choosing a least privilege access control solution. Here’s a compilation of dozens of teams’ buying criteria in a handy scorecard that you’re welcome to use.

Faster, Compliant Access

Most of the time it's easier to pick a ready-to-go solution and get back to building. Teams can get set up with Indent to start granting compliant access in hours rather than quarters.

Indent allows users to request access to any cloud app that contains cardholder data, right from Slack.

That request can either be automatically approved for a preconfigured duration or routed to the right reviewer(s) for approval and a customizable access duration grant.

After the user’s access expires, it’s automatically revoked, with all relevant event data being logged for security and compliance purposes.

Check out the table below to see how Indent helps you meet PCI DSS Requirement 7 sub requirements.

7.2.1An access control requirements: • Appropriate access depending on the entity's business and access needs. • Access to system components and data resources that is based on users' job classification and functions. • The least privileges required (for example, user, administrator) to perform a job function.• Granular, role-based access • Able to grant access to employees, contractors, and third parties
7.2.2Access is assigned to users, including privileged users, based on: • Job classification and function. • Least privileges necessary to perform job responsibilities.• adds users to role-based groups • Auto-revokes access after set duration
7.2.3Required privileges are approved by authorized personnel.• Automatic request routing
7.2.4All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: • At least once every six months. • To ensure user accounts and access remain appropriate based on job function. • Any inappropriate access is addressed. • Management acknowledges that access remains appropriate. Note: This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.• Real-time approvals with no persistent access
7.2.5All application and system accounts and related access privileges are assigned and managed as follows: • Based on the least privileges necessary for the operability of the system or application. • Access is limited to the systems, applications, or processes that specifically require their use. Note: This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.• Granular, role-based access
7.2.6All user access to query repositories of stored cardholder data is restricted as follows: • Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. • Only the responsible administrator(s) can directly access or query repositories of stored CHD.• Granular, role-based access
Bonus: 8.2.4Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows: • Authorized with the appropriate approval. • Implemented with only the privileges specified on the documented approval.• Granular, role-based access with approvals

Teams like Modern Treasury and KnotAPI chose Indent to help them achieve and maintain PCI compliance.

Modern Treasury

Modern Treasury provides APIs for sending, receiving, and reconciling payments over any payment method, including ACH, wires, and RTP.

After achieving initial compliance, they realized that their manual access control wasn’t going to scale with their team. Getting access was taking days, and required manual admin work to revoke and document access.

By switching to Indent they were able to maintain compliance, but reduced the time it took to get access for employees who really needed it down to minutes rather than days, while reducing admin workloads.

“We're not actually blocking them. Like fifty-nine seconds is shorter than it takes to boot up a local rails server sometimes. So that's amazing to me that it's so on demand that anyone can access it and our CTO's not spending any time managing roles.”


KnotAPI programatically updates card on file information, cancel subscriptions and change passwords. They adopted Indent before they began their compliance journey.

Like Modern Treasury, they were handling their access control manually and were looking for a solution to handle an influx of engineers and temporary access for contractors. By using Indent they were able to reduce the admin time associated with managing access by 50% and reduce access wait times to just a few minutes.

“We’re excited to be able to bring the speed of on-demand access with Indent to our codebase to empower our engineers to move even faster while also reducing our breach risk.”

— Kieran O’Reilly, CTO at Knot API

Partner in PCI Compliance

PCI DSS Requirement 7 plays an important role in protecting critical financial information.

Implementing consistent least privilege access control keeps organizations in compliance, and shields them from fines from credit card companies, while maintaining the trust of their customers.

Becoming compliant doesn’t have to be difficult. For teams who want to lay the groundwork for compliance with Requirement 7 in a day, solutions like Indent can be set up in an hour.

If you're a Drata, Secureframe, or Vanta customer, you can also use Indent reports for your compliance audit evidence.

Want to learn more or get a guided installation? Get a demo and schedule time that works for you — we're happy to answer any questions you have!

Try Indent for free.