Skip to main content
PCI Compliance Policies

18. Data Control & Access Control Policies

Last modified:

Overview

In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, UIT-PCI Compliance Services has established a formal policy and supporting procedures concerning data control and access control. This policy is to be implemented immediately. It will be evaluated on an annual basis for ensuring its adequacy and relevancy regarding UIT-PCI Compliance Services’ needs and goals.

Policy

UIT-PCI Compliance Services will ensure that the Data Control & Access Control policy adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (PCI DSS Requirements and Security Assessment Procedures):

  • Limit access to system components and cardholder data to only those individuals whose job requires such access.
  • Access needs are to be defined for each respective role, specifically:
    • System components and data resources that each role needs to access for their job function. o Level of privilege required for accessing resources.
  • Access rights for privileged users are restricted to the least privileges necessary to perform job responsibilities.
  • Privileges are assigned to individuals based on job classification and function, such as Role-Based Access Control (RBAC).
  • An authorization form is required for all access, which must specify required privileges, and must be signed by management.
  • Access control systems are in place on all system components.
  • Access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
  • Access control systems have a default Deny All setting.
  • Security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.>

18.1 Working-From-Home (WFH) access control for PCI network and accounts:

Only the following two types of users are qualified to request and be granted with PCI WFH access:

  • 18.1.1 UIT Core Infrastructure staff with responsibility for PCI application development, system administration or production support. Approval from the employee's direct supervisor and UIT Compliance Director is required.
  • 18.1.2 Active merchant account users in a merchant department with the responsibility for payment card processing and card holders support. Approval from the merchant user's direct supervisor and the merchant department account owner is required.

Responsibility for Policy Maintenance

UIT’s PCI Compliance service is responsible for ensuring that the aforementioned policy is kept current as needed for purposes of compliance with the Payment Card Industry Data Security Standards (PCI DSS) initiatives.