GRCWatch
Sign inStart free trial

PCI DSS 7.2.3: Obtain Approval for Required Privileges

PCI DSS 7.2.3 requires that all user access privileges be approved by authorized personnel before implementation. This control ensures accountability and prevents unauthorized access escalation by enforcing a formal approval workflow. Without documented privilege approvals, your organization cannot demonstrate compliance with PCI DSS access control requirements.

What this means

This control mandates that before granting any user access rights or elevated privileges within systems that process payment card data, an authorized individual must explicitly approve the request. Approval should be based on the principle of least privilege and documented to create an audit trail. This applies to initial privilege grants, privilege modifications, and any changes to a user's access level.

How to comply

  1. 1.Define who is authorized to approve privilege requests (typically managers, system owners, or security personnel)
  2. 2.Create a formal privilege request process requiring documented approval before access is granted
  3. 3.Ensure approvers verify the business justification and necessity for each privilege request
  4. 4.Maintain records of all privilege approvals with approver name, date, and requested privileges
  5. 5.Implement a workflow system that prevents privilege activation until proper approval is obtained
  6. 6.Review approval processes quarterly to ensure authorized personnel list remains current
  7. 7.Document approval criteria aligned with job responsibilities and the principle of least privilege

Evidence auditors look for

  • Privilege request forms signed by authorized approvers
  • Email approvals from managers or system owners granting access
  • Workflow logs showing approval status before privilege implementation
  • Access control documentation listing approved privilege levels by user
  • System screenshots demonstrating approval requirement enforcement
  • Approval matrix showing which roles can approve specific privilege types
  • Audit logs capturing timestamp of approval and privilege activation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates privilege approval workflows with built-in authorization matrices and audit trails, eliminating manual approval tracking and ensuring every privilege grant is documented and traceable for 7.2.3 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1 - Restrict access to cardholder dataPCI DSS 7.2.1 - Establish access control for system componentsPCI DSS 7.2.2 - Restrict access to privileged user IDsPCI DSS 8.1 - User identification and authentication