GRCWatch
Sign inStart free trial

PCI DSS 7.2.1: Default Deny All Access

Default deny access is the foundational security principle that ensures no user, system, or service can access resources unless explicitly granted permission. This PCI DSS requirement prevents unauthorized access from becoming the path of least resistance in your environment. Implementing this control is non-negotiable for payment card data protection.

What this means

Your access control system must be configured with a default deny posture, meaning all access requests are rejected unless a specific rule explicitly allows them. This inverts the traditional approach where administrators must remember to block everything—instead, they explicitly whitelist only necessary access. This applies to user access, administrative privileges, system-to-system communications, and network traffic.

How to comply

  1. 1.Configure your Identity and Access Management (IAM) system to default-deny for all roles and permissions
  2. 2.Establish explicit allow rules only for required business functions, documenting justification for each access grant
  3. 3.Implement default-deny network firewall rules and test that traffic is blocked by default before allowing exceptions
  4. 4.Apply default-deny principles to database access, API endpoints, and application-level resources
  5. 5.Review and remove any standing 'allow all' rules or overly permissive wildcard policies
  6. 6.Enforce default-deny in administrative access controls and privileged account management systems
  7. 7.Document your access control policy and ensure it explicitly references default-deny as the baseline

Evidence auditors look for

  • IAM policy documentation showing default-deny as the baseline permission model
  • Screenshots of firewall rules configured with implicit deny as the default action
  • Access control lists (ACLs) demonstrating explicit allow rules for specific users, systems, or traffic
  • Database permission audit showing no public or overly broad access grants
  • API gateway configuration logs showing default-deny with explicit routes allowed
  • Administrative access control matrix documenting who has what permissions and why
  • Audit logs showing denied access attempts that the default-deny rule blocked

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates default-deny policy configuration and ongoing compliance verification, continuously monitoring your IAM, firewall, and database rules to ensure no unintended allow-all exceptions slip through.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1 — Limit access to system components by business need to knowPCI DSS 7.2.2 — Set user access based on need-to-know principlePCI DSS 7.2.3 — Default-deny all access unless specifically allowedPCI DSS 8.2 — Assign unique user IDs and authenticationPCI DSS 8.3 — Restrict physical and logical access to cardholder data