This requirement mandates that we limit access to CHD to only those who absolutely need it. This will include proper separation of duties to prevent collusion, and includes the concept of least privilege (7.1.2), i.e. granting only the minimum level required to perform a function.
Roles must be defined for specific business and IT functions (7.1.1) that specify which system access and which level of access (user, reviewer, administrator, etc.) is required for each role. Often this will come with job description functions and system/application roles assigned to those functions (7.1.3). Granting of roles and permissions must be documented and approved by authorized individuals (7.1.4).
Requirement 7.2 requires implementing a Role-Based-Access-Control (RBAC) system with a default of "deny-all" (7.2.3). A RBAC system simply means that we assign permissions to roles, and roles to users (not permissions to users directly), often through group membership. This reduces the risk that individual permissions will be given that do not belong to an individual, or if that individual changes functions that some permissions not be removed. The RBAC system must cover all components (7.2.1) and assign privileges to individuals (7.2.2) with no shared account used (8.5). Traceability of action is a key objective of PCI DSS (necessary for an investigation should there ever be any form of incident or breach) and requires that roles be assigned to individual accounts, and that no shared accounts be used.
- Section 3.7.7 of Volume 3