PCI DSS 7.2.6: Restrict Cardholder Data Repository Query Access
PCI DSS 7.2.6 requires that all user access to cardholder data repositories be restricted through application-level controls based on defined user roles. This control prevents unauthorized data exposure by ensuring only users with legitimate business needs can query sensitive payment card information.
What this means
This control mandates implementing application-based access restrictions that enforce role-based permissions for database queries containing stored cardholder data (CHD). Rather than relying on database-level controls alone, your applications must authenticate user roles and restrict query results based on job function requirements. Only users with explicit authorization should retrieve, view, or export CHD from repositories.
How to comply
- 1.Define user roles based on job functions and business requirements for CHD access
- 2.Implement application-level controls that authenticate and verify user roles before processing queries
- 3.Configure query filters and result restrictions tied to each user role
- 4.Log all CHD query activities including user ID, timestamp, and data accessed
- 5.Regularly review and update role definitions as business needs change
- 6.Test role-based access controls to confirm users cannot bypass restrictions
- 7.Document the application architecture and access control mechanisms
Evidence auditors look for
- Application source code showing role-based query filtering logic
- Database query logs filtered by user role showing restricted result sets
- Role definition documentation mapping job titles to CHD access permissions
- Access control test results demonstrating role enforcement
- Query audit logs with user identification and timestamps
- Application configuration files defining role-based access policies
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates role-based access control enforcement by mapping user identities to PCI DSS-compliant query restrictions, eliminating manual permission configurations and generating audit logs that directly demonstrate 7.2.6 compliance.
See how GRCWatch handles this control automatically
Start free trial