PCI DSS (Data Security Standard) Guidance for Access Control

PCI SSC recommends restricting access to cardholder data based on need to know, giving each user a unique ID, and having physical security in place.

PCI DSS access control

The Payment Card Industry Data Security Standard (PCI DSS) consists of six goals and 12 requirements aimed at keeping cardholder data secure as it’s processed, stored, or transmitted. One of the PCI DSS goals, strong access control measures, has three related best practices for regulating and monitoring cardholder information use.

PCI DSS Access Control Requirement #1: Restrict Access Based on Need to Know

The PCI Security Standards Council (PCI SSC) recommends limiting access to cardholder data only to people in an organization whose jobs require it. Technology advancements make it possible to rethink old processes and allow only specific people to see human-readable card numbers when necessary. Role-based access control within a point of sale (POS) or retail management system, for example, could allow a store manager to retrieve cardholder information but prohibit sales associates or cashiers from seeing it, even if the entire staff uses common terminals or computers. Additionally, pay-at-the-table solutions and tokenization could enable staff to manage transactions without ever seeing card numbers.

With more control of access, the risks that cardholder data will fall into the wrong hands decreases.

PCI DSS Access Control Requirement #2: Give Each User a Unique ID

For applications that use or store cardholder data, PCI DSS requires that each user have unique credentials. Unique ID gives visibility into each user’s activity in a business’ POS, accounting, or other systems. IDs can be in the form of smart cards, fobs, or biometric authentication. Businesses can also use logins and passwords to identify users, but that information should be encrypted when stored or transmitted.

Two-factor authentication provides an added layer of security. If a password or smart card is stolen, an unauthorized person could not use it to gain access to a system without the second form of authentication.

PCI DSS Access Control Requirement #3: Restrict Physical Access

Although PCI DSS includes best practices for digital security, it also stresses that physical security is just as important. Business owners need to protect information and devices from physical theft as well as hacking. PCI SCC advises that businesses have processes in place that identify visitors from employees in restricted areas and to keep a visitor log. Door locks and other physical security measures should ensure a location that uses or stores cardholder data is secure, day and night.

The business should also train employees on best practices for protecting cardholder data in unusual circumstances, such as using phone confirmations for transactions during a payment system outage. Employees should never leave hard copies of card data where unauthorized people could see it or store cardholder data on their computers. Businesses should also train employees to destroy any copy of cardholder data when it’s no longer needed and avoid printing complete cardholder data on receipts.

How ISVs Can Assist With Cardholder Data Protection

Although the burden is on your clients to put best practices in place, the applications you develop can give businesses the tools they need to limit access control to cardholder data. You can provide your clients with features such as multifactor authentication and role-based access control. Also, give your clients options for user authentication, including fingerprint or other biometric ID, or you can require strong user passwords.

Moreover, your applications can reflect the other goals and requirements of PCI DSS to help your clients comply. Ensure the applications you develop support PCI best practices to keep cardholder data safe. 


EVO Payments provides secure, reliable EMV payment integrations to the POS market. Our experienced developer support team makes sure your solution gets integrated and to market quickly and successfully. Sterling has more than 400 ISV integrations, provides international opportunities, and has lucrative partner referral programs.