Requirement 7: Restrict access to cardholder data by business need to know

Tracking the access rights of many users can be a very difficult task to manage. Role-based access controls (RBAC) help to make this task more manageable.

Employee roles should be identified and assigned in an effort to determine which individuals require access to cardholder data or systems in the cardholder data environment. RBAC should be assigned appropriately so that each individual has access to only the systems and resources needed to perform their job function. Individuals should be assigned to roles, and roles should be assigned access rights (as opposed to assigning access rights directly to users). All other access to cardholder data and CDE systems must be denied. Documented approval must be maintained for all individual role assignments.

Go on to Requirement 8 - Access Control.

Go back to Requirement 6 - System Security.