IT-11 Standard for Access Control on Networks Processing Cardholder Data


In this article

Purpose

This document establishes a formal access control standard and outlines the related requirements specified in the Payment Card Industry Data Security Standards that must be implemented into all UMD network infrastructures that are processing cardholder data.

Top

Additional authority

The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirements 7, 8, and 9.

Top

Scope

This standard applies to all UMD network infrastructures that are transmitting and processing cardholder data. PCI DSS defines the following data elements as cardholder data: full Primary Account Number (PAN) or full PAN plus any of the following: Cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number.

Top

Standard

Access to networks processing cardholder data must be controlled in order to minimize the likelihood of unauthorized access to, and modification of, the cardholder data. An effective access control program requires that security controls are implemented to provide detection, prevention and protection against unauthorized access vulnerabilities. These security controls are addressed by the requirements specified in this standard and must be implemented in order to be compliant with the PCI DSS access control related requirements.

NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.

Top

Requirements

Accessing cardholder data

Top

Authentication and identification

Top

Restrict physical access of cardholder data

Top