Requirement 7: Restrict access to cardholder data by business need to know
The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.
- 7.1.1
Define access needs for each role, including:
- System components and data resources that each role needs to access for their job function
- Level of privilege required (for example, user, administrator, etc.) for accessing resources.
- 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
- 7.1.3 Assign access based on individual personnel's job classification and function.
- 7.1.4 Require documented approval by authorized parties specifying required privileges.
HCL Commerce has an extremely powerful, flexible, and customizable access control mechanism. This automated mechanism assigns privileges based on the role(s) assigned to the user ID. To comply with 7.1.3, ensure that an authorization form is required for all access. WebSphere Commerce does not provide this form.
For a complete overview of access control, see:
- 7.2.1 Coverage of all system components
- 7.2.2 Assignment of privileges to individuals based on job classification and function
- 7.2.3 Default "deny-all" setting
Policy Manager is the access control component that determines whether or not the current user is allowed to execute the specified action on the specified resource, according to their job role. User IDs that are not assigned a job role, are denied all access by default unless you modify the default access control policies.
Access control policies are specified in XML format. During instance creation, the default policies and policy groups are loaded into the appropriate database tables. When HCL Commerce Application Server is started up, the access control information is cached in memory so that Policy Manager can quickly check a users authorization when called to do so.
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.
The merchant is responsible for documenting and communicating the security policies and operational procedures to all affected parties.