PCI DSS 7.2.2: Assign Access Based on Job Classification
PCI DSS 7.2.2 requires that user access—including privileged access—be assigned according to job classification and function. This principle prevents unauthorized access by ensuring users only receive permissions necessary for their role. For SMBs managing payment data, this control is foundational to limiting breach exposure and maintaining compliance.
What this means
This control mandates a role-based access control (RBAC) model where access permissions are determined by an employee's job classification and specific function. Rather than granting ad-hoc permissions, organizations must establish predefined roles that align with business functions. Privileged users—those with elevated access to systems or data—must also follow this classification-based approach. The goal is to minimize unnecessary permissions and reduce the attack surface by ensuring each user can only access what their role requires.
How to comply
- 1.Document all job classifications and define the access requirements for each role
- 2.Create role-based access profiles that map job functions to specific system permissions
- 3.Implement access management controls that enforce role assignment at provisioning
- 4.Review and update role definitions annually or when job functions change
- 5.Audit user access quarterly to verify alignment with current job classifications
- 6.Establish a formal approval process requiring management sign-off for access assignments
- 7.Maintain detailed records linking user accounts to their assigned job classification
Evidence auditors look for
- Job classification documentation defining roles (e.g., developer, accountant, manager)
- Access control matrix showing which systems and data each role can access
- User access inventory with job classification and assigned role for each account
- Privileged access management (PAM) system showing role-based privilege assignments
- Access approval records signed by management authorizing role assignments
- Quarterly access review reports confirming users' access matches their job classification
- System logs showing role-based access enforcement at login and resource access
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates job classification mapping and role-based access assignment, flagging misaligned permissions during quarterly reviews and generating compliant audit trails—eliminating manual spreadsheet management for PCI DSS 7.2.2.
See how GRCWatch handles this control automatically
Start free trial