{"id":4489,"date":"2019-09-05T10:00:26","date_gmt":"2019-09-05T10:00:26","guid":{"rendered":"https:\/\/evoipos.com\/?p=4489"},"modified":"2021-12-14T15:22:36","modified_gmt":"2021-12-14T20:22:36","slug":"pci-data-security-standard-guidance-for-access-control","status":"publish","type":"post","link":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/","title":{"rendered":"PCI Data Security Standard Guidance for Access Control"},"content":{"rendered":"<p>The Payment Card Industry Data Security Standard (PCI DSS) consists of six goals and 12 requirements aimed at keeping cardholder data secure as it\u2019s processed, stored, or transmitted. One of the <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI%20SSC%20Quick%20Reference%20Guide.pdf\">PCI DSS<\/a> goals, strong access control measures, has three related best practices for regulating and monitoring cardholder information use.<\/p>\n<p><strong>PCI DSS Access Control Requirement #1: Restrict Access Based on Need to Know <\/strong><\/p>\n<p>The PCI Security Standards Council (PCI SSC) recommends limiting access to cardholder data only to people in an organization whose jobs require it. Technology advancements make it possible to rethink old processes and allow only specific people to see human-readable card numbers when necessary. Role-based access control within a point of sale (POS) or retail management system, for example, could allow a store manager to retrieve cardholder information but prohibit sales associates or cashiers from seeing it, even if the entire staff uses common terminals or computers. Additionally, pay-at-the-table solutions and tokenization could enable staff to manage transactions without ever seeing card numbers.<\/p>\n<p>With more control of access, the risks that cardholder data will fall into the wrong hands decreases.<\/p>\n<p><strong>PCI DSS Access Control Requirement #2: Give Each User a Unique ID<\/strong><\/p>\n<p>For applications that use or store cardholder data, PCI DSS requires that each user have unique credentials. Unique ID gives visibility into each user\u2019s activity in a business\u2019 POS, accounting, or other systems. IDs can be in the form of smart cards, fobs, or biometric authentication. Businesses can also use logins and passwords to identify users, but that information should be encrypted when stored or transmitted.<\/p>\n<p>Two-factor authentication provides an added layer of security. If a password or smart card is stolen, an unauthorized person could not use it to gain access to a system without the second form of authentication.<\/p>\n<p><strong>PCI DSS Access Control Requirement #3: Restrict Physical Access <\/strong><\/p>\n<p>Although PCI DSS includes best practices for digital security, it also stresses that physical security is just as important. Business owners need to protect information and devices from physical theft as well as hacking. PCI SCC advises that businesses have processes in place that identify visitors from employees in restricted areas and to keep a visitor log. Door locks and other physical security measures should ensure a location that uses or stores cardholder data is secure, day and night.<\/p>\n<p>The business should also train employees on best practices for protecting cardholder data in unusual circumstances, such as using phone confirmations for transactions during a payment system outage. Employees should never leave hard copies of card data where unauthorized people could see it or store cardholder data on their computers. Businesses should also train employees to destroy any copy of cardholder data when it\u2019s no longer needed and avoid printing complete cardholder data on receipts.<\/p>\n<p><strong>How ISVs Can Assist With Cardholder Data Protection<\/strong><\/p>\n<p>Although the burden is on your clients to put best practices in place, the applications you develop can give businesses the tools they need to limit access control to cardholder data. You can provide your clients with features such as multifactor authentication and role-based access control. Also, give your clients options for user authentication, including fingerprint or other biometric ID, or you can require strong user passwords.<\/p>\n<p>Moreover, your applications can reflect the other goals and requirements of PCI DSS to help your clients comply. Ensure the applications you develop support PCI best practices to keep cardholder data safe.<\/p>\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator is-style-dots\"\/>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n    <div class=\"cta cta-full\">\n        <img src=\"https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2019\/11\/cta_full-width_3.jpg\" alt=\"\" \/>\n        <div class=\"content-holder\"> <!--this extra div is needed to make line behind content and above image-->\n          <div class=\"content\">\n            <h3>Connect with Us<\/h3>\n            <p>With business activities in 50 markets and 150+ currencies around the world, EVO is among the largest fully integrated merchant acquirers and payment processors in the world.<\/p>\n            <div class=\"button-container\"><a href=\"\/about\/contact-us\/\" class=\"btn border\">Contact Us<\/a><\/div>\n          <\/div> <!-- \/.content -->\n        <\/div> <!-- \/.content-holder -->\n    <\/div><!-- \/.cta -->\n\n        ","protected":false},"excerpt":{"rendered":"<p>PCI SSC recommends restricting access to cardholder data based on need to know, giving each user a unique ID, and having physical security in place. <\/p>\n","protected":false},"author":22,"featured_media":138,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_editorskit_title_hidden":false,"_editorskit_reading_time":2,"_editorskit_typography_data":[],"_editorskit_blocks_typography":"","_editorskit_is_block_options_detached":false,"_editorskit_block_options_position":"{}","_mi_skip_tracking":false},"categories":[7],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>PCI Data Security Standard Guidance for Access Control - EVO Payments<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PCI Data Security Standard Guidance for Access Control - EVO Payments\" \/>\n<meta property=\"og:description\" content=\"PCI SSC recommends restricting access to cardholder data based on need to know, giving each user a unique ID, and having physical security in place.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/\" \/>\n<meta property=\"og:site_name\" content=\"EVO Payments\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-05T10:00:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-12-14T20:22:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"201\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lance Newalu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.evopayments.us\/staging\/#website\",\"url\":\"https:\/\/www.evopayments.us\/staging\/\",\"name\":\"EVO Payments\",\"description\":\"Simplifying Payments Around the Globe. 150+ currencies across 50 markets worldwide.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.evopayments.us\/staging\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#primaryimage\",\"inLanguage\":\"en\",\"url\":\"https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg\",\"contentUrl\":\"https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg\",\"width\":900,\"height\":201},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#webpage\",\"url\":\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/\",\"name\":\"PCI Data Security Standard Guidance for Access Control - EVO Payments\",\"isPartOf\":{\"@id\":\"https:\/\/www.evopayments.us\/staging\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#primaryimage\"},\"datePublished\":\"2019-09-05T10:00:26+00:00\",\"dateModified\":\"2021-12-14T20:22:36+00:00\",\"author\":{\"@id\":\"https:\/\/www.evopayments.us\/staging\/#\/schema\/person\/0a06b032d3974eb829334f0d71e8de1d\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.evopayments.us\/staging\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PCI Data Security Standard Guidance for Access Control\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.evopayments.us\/staging\/#\/schema\/person\/0a06b032d3974eb829334f0d71e8de1d\",\"name\":\"Lance Newalu\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.evopayments.us\/staging\/#personlogo\",\"inLanguage\":\"en\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ebaf9d1ec66e7e090c6002b9a98d10c6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ebaf9d1ec66e7e090c6002b9a98d10c6?s=96&d=mm&r=g\",\"caption\":\"Lance Newalu\"},\"url\":\"https:\/\/www.evopayments.us\/staging\/author\/lance-newalu\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PCI Data Security Standard Guidance for Access Control - EVO Payments","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/","og_locale":"en_US","og_type":"article","og_title":"PCI Data Security Standard Guidance for Access Control - EVO Payments","og_description":"PCI SSC recommends restricting access to cardholder data based on need to know, giving each user a unique ID, and having physical security in place.","og_url":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/","og_site_name":"EVO Payments","article_published_time":"2019-09-05T10:00:26+00:00","article_modified_time":"2021-12-14T20:22:36+00:00","og_image":[{"width":900,"height":201,"url":"https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Lance Newalu","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.evopayments.us\/staging\/#website","url":"https:\/\/www.evopayments.us\/staging\/","name":"EVO Payments","description":"Simplifying Payments Around the Globe. 150+ currencies across 50 markets worldwide.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.evopayments.us\/staging\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en"},{"@type":"ImageObject","@id":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#primaryimage","inLanguage":"en","url":"https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg","contentUrl":"https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg","width":900,"height":201},{"@type":"WebPage","@id":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#webpage","url":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/","name":"PCI Data Security Standard Guidance for Access Control - EVO Payments","isPartOf":{"@id":"https:\/\/www.evopayments.us\/staging\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#primaryimage"},"datePublished":"2019-09-05T10:00:26+00:00","dateModified":"2021-12-14T20:22:36+00:00","author":{"@id":"https:\/\/www.evopayments.us\/staging\/#\/schema\/person\/0a06b032d3974eb829334f0d71e8de1d"},"breadcrumb":{"@id":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.evopayments.us\/staging\/pci-data-security-standard-guidance-for-access-control\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.evopayments.us\/staging\/"},{"@type":"ListItem","position":2,"name":"PCI Data Security Standard Guidance for Access Control"}]},{"@type":"Person","@id":"https:\/\/www.evopayments.us\/staging\/#\/schema\/person\/0a06b032d3974eb829334f0d71e8de1d","name":"Lance Newalu","image":{"@type":"ImageObject","@id":"https:\/\/www.evopayments.us\/staging\/#personlogo","inLanguage":"en","url":"https:\/\/secure.gravatar.com\/avatar\/ebaf9d1ec66e7e090c6002b9a98d10c6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ebaf9d1ec66e7e090c6002b9a98d10c6?s=96&d=mm&r=g","caption":"Lance Newalu"},"url":"https:\/\/www.evopayments.us\/staging\/author\/lance-newalu\/"}]}},"uagb_featured_image_src":{"full":["https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg",900,201,false],"thumbnail":["https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799-150x150.jpg",150,150,true],"medium":["https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799-300x67.jpg",300,67,true],"medium_large":["https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799-768x172.jpg",768,172,true],"large":["https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-1024x299.jpg",1024,299,true],"1536x1536":["https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg",900,201,false],"2048x2048":["https:\/\/www.evopayments.us\/staging\/wp-content\/uploads\/2018\/09\/banner-pci-qir-e1593541784799.jpg",900,201,false]},"uagb_author_info":{"display_name":"Lance Newalu","author_link":"https:\/\/www.evopayments.us\/staging\/author\/lance-newalu\/"},"uagb_comment_info":0,"uagb_excerpt":"PCI SSC recommends restricting access to cardholder data based on need to know, giving each user a unique ID, and having physical security in place.","_links":{"self":[{"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/posts\/4489"}],"collection":[{"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/comments?post=4489"}],"version-history":[{"count":6,"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/posts\/4489\/revisions"}],"predecessor-version":[{"id":20864,"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/posts\/4489\/revisions\/20864"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/media\/138"}],"wp:attachment":[{"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/media?parent=4489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/categories?post=4489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.evopayments.us\/staging\/wp-json\/wp\/v2\/tags?post=4489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}