Requirement 7: Restrict access to cardholder data by business need to know

The detailed requirements in this section are relevant to HCL Commerce. Review each point carefully.

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
  • 7.1.1 Define access needs for each role, including:
    • System components and data resources that each role needs to access for their job function
    • Level of privilege required (for example, user, administrator, etc.) for accessing resources.
  • 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
  • 7.1.3 Assign access based on individual personnel's job classification and function.
  • 7.1.4 Require documented approval by authorized parties specifying required privileges.

HCL Commerce has an extremely powerful, flexible, and customizable access control mechanism. This automated mechanism assigns privileges based on the role(s) assigned to the user ID. To comply with 7.1.3, ensure that an authorization form is required for all access. WebSphere Commerce does not provide this form.

For a complete overview of access control, see:

Understanding access control

7.2 Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system must include the following:
  • 7.2.1 Coverage of all system components
  • 7.2.2 Assignment of privileges to individuals based on job classification and function
  • 7.2.3 Default "deny-all" setting

Policy Manager is the access control component that determines whether or not the current user is allowed to execute the specified action on the specified resource, according to their job role. User IDs that are not assigned a job role, are denied all access by default unless you modify the default access control policies.

Access control policies are specified in XML format. During instance creation, the default policies and policy groups are loaded into the appropriate database tables. When HCL Commerce Application Server is started up, the access control information is cached in memory so that Policy Manager can quickly check a users authorization when called to do so.

Enforcing access control

7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.

The merchant is responsible for documenting and communicating the security policies and operational procedures to all affected parties.