PCI DSS 7.1.3: Defining an Access Control Model with Least Privilege
PCI DSS 7.1.3 requires you to define a formal access control model that enforces least privilege, need-to-know principles, and segregation of duties. Without a documented model, your organization risks unauthorized access to cardholder data and audit failures. This control is foundational—get it right and everything else becomes easier.
What this means
An access control model is a documented framework that defines how users, administrators, and systems are granted permissions across your environment. It must incorporate three core principles: least privilege (users receive only the minimum access needed), need-to-know (access is restricted by role and business function), and segregation of duties (no single person controls a complete transaction or sensitive process). This model applies to all systems handling, storing, or transmitting cardholder data.
How to comply
- 1.Document your access control model in a written policy, including the principles of least privilege, need-to-know, and segregation of duties.
- 2.Define role-based access control (RBAC) or attribute-based access control (ABAC) that maps job functions to specific permissions.
- 3.Identify critical duties that must be segregated (e.g., approval and execution, authorization and reconciliation, coding and testing).
- 4.Map each user role to the minimum set of access rights required to perform their job.
- 5.Define how new users are granted access (provisioning) and how access is revoked when roles change or employment ends (deprovisioning).
- 6.Review and update the access control model annually and whenever significant business or system changes occur.
- 7.Communicate the model to relevant stakeholders and ensure it is enforced through identity and access management (IAM) systems.
Evidence auditors look for
- Signed and dated access control policy document describing least privilege, need-to-know, and segregation of duties principles.
- Role-based access control matrix showing job functions, associated roles, and specific system permissions.
- Examples of segregated duties (e.g., separate approvers and executors in payment processing workflows).
- Access provisioning and deprovisioning procedures with approval workflows.
- Documentation of annual access control model reviews with dates and personnel signatures.
- IAM system reports showing role assignments and permission mappings aligned to the documented model.
- Change log showing updates to the access control model and reasons for modifications.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch maps your user roles and permissions automatically from active systems, generates a visual access control matrix aligned to PCI DSS 7.1.3, and flags segregation-of-duty violations in real time—eliminating manual spreadsheets and compliance gaps.
See how GRCWatch handles this control automatically
Start free trial