{"id":70,"date":"2022-10-23T21:02:31","date_gmt":"2022-10-24T02:02:31","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=70"},"modified":"2022-10-23T21:02:33","modified_gmt":"2022-10-24T02:02:33","slug":"intro-to-pci-version-4-requirement-7","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/","title":{"rendered":"Intro to PCI version 4: Requirement 7"},"content":{"rendered":"\n<p>In PCI requirements 7 and 8 seem to go hand in hand with each other, and if there weren\u2019t so many bleeding changes to 8 going into v4 I would have combined them into a single blog post (but there are, and I didn\u2019t).&nbsp; Requirement 7 is about access management and 8 authentication\/user account management.&nbsp; Two halves of the same coin.&nbsp; For this post we are going to just stick with R7, not to be confused with CR7 (if you know you know).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<p>So, as we have discussed in previous posts the council is working to mature the standards in a way to add additional accountability and limit risk associated with human error.\u00a0 In requirement 7 for version 4, we see a continuation of this mindset.\u00a0 As you will notice when we run through the changes most of them are focused on some form of oversight.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 7 in v4<\/h2>\n\n\n\n<p>The new controls in requirement 7 of version 4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>7.1.2 &#8211; Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.es to the existing controls (surprised?) &lt;- literally cut and past this line from the post on requirement 6 (which was cut from 5, etc.)<\/li><li>7.2.4 &#8211; Review all user accounts and related access privileges appropriately.<\/li><li>7.2.5 &#8211; Assign and manage all application and system accounts and related access privileges appropriately.<\/li><li>7.2.5.1 &#8211; Review all access by application and system accounts and related access privileges.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes to the existing controls\u00a0<\/h2>\n\n\n\n<p>Requirement 7 is maturing along with the rest of the controls to expand not only the controls but the overall mindset and philosophy behind it.&nbsp; This is very evidence in the changes to requirement 5 existing controls.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>7 \u2013 Clarification\/guidance \u2013 Updated principal requirement title to include system components and cardholder data.<\/li><li>7.1 \u2013 Now 7.2.1 \/ 7.2.2 \/ 7.2.3 \u2013 Clarification\/guidance &#8211; Removed requirement for specific documented procedures and added testing procedures to verify policies and procedures to each related requirement. (Expanding the requirements within the company documentation, which by its nature will require more involvement from management and business owners).<\/li><li>7.1.1 \u2013 Now 7.2.1 \u2013 Clarification\/guidance &#8211; Clarified requirement is about defining an access control model.<\/li><li>7.1.2\/7.1.3 \u2013 Now 7.2.2 \u2013 Structure\/format &#8211; Combined requirements for assigning access based on job classification and function, and least privileges.<\/li><li>7.1.4 \u2013 Now 7.2.3 \u2013 Clarification\/guidance &#8211; Clarified requirement is about approval of required privileges by authorized personnel. (This is one I have clients with long tenured employees having difficulty providing evidence on during their assessments.&nbsp; If you know you are going to have to provide proof of approval on your administrative staff\u2019s access levels, make a point to have an annual review that is thoroughly documented, in a format that can be exported into an evidentiary document.&nbsp; Don\u2019t just fall back on using an email from their manager saying \u201cYup.&nbsp; Looks good.\u201d<\/li><li>8.7 \u2013 Now 7.2.6 \u2013 Structure\/format &#8211; Moved requirement since it aligns better with the content in Requirement 7. (Aligns with our earlier comments on the two requirements being two halves of the same coin.)<\/li><li>7.2 \u2013 Now removed \u2013 Structure\/format &#8211; Removed \u201cnull\u201d requirement (all content pointed to other requirements).<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>As I mentioned at the start of the post, most of the changes to requirement 7 in version 4 have to do with making certain the access management aspect of your environment.&nbsp; The new areas of 7 are focused on account management and review for user and system accounts and the controls that have been modified are moving around to require a deeper dive into those areas to show compliance with the PCI standards.&nbsp; Developing proper management policies and processes will be key in improving your security stance in this realm.&nbsp; In a perfect world you will implement new processes for reviewing accounts (of all kinds) and find out you were already doing everything as you should.&nbsp; I suspect that some of you are going to have some amount of enlightenment when you start putting together an inventory of system level accounts. (Because if you don\u2019t have an accounting of these accounts, how can you perform the needed reviews on their access each year, as required in 7.2.5.1?)<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.&nbsp; Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.&nbsp; Thanks for taking the time to read my thoughts on PCI v4 Requirement 6.&nbsp; We will continue to work through each of the PCI requirements each week.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In PCI requirements 7 and 8 seem to go hand in hand with each other, and if there weren\u2019t so many bleeding changes to 8 going into v4 I would have combined them into a single blog post (but there are, and I didn\u2019t).&nbsp; Requirement 7 is about access management and 8 authentication\/user account management.&nbsp; &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 7&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-70","post","type-post","status-publish","format-standard","hentry","category-shawn"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 7 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 7 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"In PCI requirements 7 and 8 seem to go hand in hand with each other, and if there weren\u2019t so many bleeding changes to 8 going into v4 I would have combined them into a single blog post (but there are, and I didn\u2019t).&nbsp; Requirement 7 is about access management and 8 authentication\/user account management.&nbsp; &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 7&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-24T02:02:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-10-24T02:02:33+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 7\",\"datePublished\":\"2022-10-24T02:02:31+00:00\",\"dateModified\":\"2022-10-24T02:02:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/\"},\"wordCount\":768,\"articleSection\":[\"Shawn\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/\",\"name\":\"Intro to PCI version 4: Requirement 7 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-10-24T02:02:31+00:00\",\"dateModified\":\"2022-10-24T02:02:33+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/10\\\/23\\\/intro-to-pci-version-4-requirement-7\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 7\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 7 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 7 - Shawn&#039;s Blog","og_description":"In PCI requirements 7 and 8 seem to go hand in hand with each other, and if there weren\u2019t so many bleeding changes to 8 going into v4 I would have combined them into a single blog post (but there are, and I didn\u2019t).&nbsp; Requirement 7 is about access management and 8 authentication\/user account management.&nbsp; &hellip; Continue reading \"Intro to PCI version 4: Requirement 7\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-10-24T02:02:31+00:00","article_modified_time":"2022-10-24T02:02:33+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 7","datePublished":"2022-10-24T02:02:31+00:00","dateModified":"2022-10-24T02:02:33+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/"},"wordCount":768,"articleSection":["Shawn"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/","name":"Intro to PCI version 4: Requirement 7 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-10-24T02:02:31+00:00","dateModified":"2022-10-24T02:02:33+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/10\/23\/intro-to-pci-version-4-requirement-7\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 7"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/70","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=70"}],"version-history":[{"count":1,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/70\/revisions"}],"predecessor-version":[{"id":71,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/70\/revisions\/71"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=70"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=70"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=70"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}