PCI DSS: Restricting Access to Cardholder Data
Requirements 7, 8 & 9 of PCI DSS version 3.2.1 are to Implement Strong Access Control Measures for logical and physical cardholder data. You'll understand what each requirement asks for and discover practical guidance from experienced PCI assessors.
What you'll learn
The key to achieving PCI DSS compliance is a thorough knowledge of each of the sub-requirements and how they will be assessed. In this course, PCI DSS: Restricting Access to Cardholder Data, you’ll learn how to interpret PCI DSS requirements 7, 8 & 9, and apply them to your organization. First, you’ll learn how PCI DSS wants role-based access and based on least privilege and need to know. Next, you’ll explore the long and prescriptive requirements about username, passwords and multi-factor authentication. Then you’ll take a look at the requirements related to the protection of cardholder data in physical format – written in paper and saved to electronic media. Finally, you’ll discover practical insights about both requirements from experienced PCI assessors. When you’ve finished with this course you will have the skills and knowledge to apply PCI DSS requirements 7, 8 and 9 to any organization’s environment and to determine whether it is compliant with the demands of the standard.
Table of contents
- Requirement 8.1 8m
- Requirement 8.2 7m
- Requirement 8.3 3m
- Requirement 8.4 1m
- Requirement 8.5 2m
- Requirement 8.6 1m
- Requirement 8.7 1m
- Requirement 8.8 1m
- Understanding the User Life Cycle and Service Accounts 5m
- Passwords and Password Managers 5m
- Multi-factor Authentication and Jump Hosts 4m
- SSH Keys and MFA 2m
- Typical Identification and Authentication Failures 3m
- Database Access Restrictions (Requirement 8.7) 2m
- Assessment Failures, Crummy MFA, and Data Compromises 4m
- Requirement 9.1 8m
- Requirement 9.2 1m
- Requirement 9.3 1m
- Requirement 9.4 3m
- Requirement 9.5 2m
- Requirement 9.6 3m
- Requirement 9.7 2m
- Requirement 9.8 3m
- Why QSAs Fixate on Physical Requirements 3m
- The Labelling Media Myth 1m
- CCTV, Legal Constraints, and Outsourced Data Centers 3m
- Physical Security & Data Breaches, and Assessments 4m
About the authors
John Elliott is a specialist in regulated security and data protection. His fascination is the way that people engage with security directives: whether that’s a company following external regulation, an information security team developing policies, an IT team following them, or a colleague who is just trying to do their job securely. John has led information security and data protection functions in aviation and financial services. He’s represented both Visa Europe and Mastercard on the PCI S... more