Requirements 7, 8 & 9 of PCI DSS version 3.2.1 are to Implement Strong Access Control Measures for logical and physical cardholder data. You'll understand what each requirement asks for and discover practical guidance from experienced PCI assessors.
The key to achieving PCI DSS compliance is a thorough knowledge of each of the sub-requirements and how they will be assessed. In this course, PCI DSS: Restricting Access to Cardholder Data, you’ll learn how to interpret PCI DSS requirements 7, 8 & 9, and apply them to your organization. First, you’ll learn how PCI DSS wants role-based access and based on least privilege and need to know. Next, you’ll explore the long and prescriptive requirements about username, passwords and multi-factor authentication. Then you’ll take a look at the requirements related to the protection of cardholder data in physical format – written in paper and saved to electronic media. Finally, you’ll discover practical insights about both requirements from experienced PCI assessors. When you’ve finished with this course you will have the skills and knowledge to apply PCI DSS requirements 7, 8 and 9 to any organization’s environment and to determine whether it is compliant with the demands of the standard.
Course Overview Hello, my name is John Elliot. Welcome to the course, PCI DSS: Restricting Access to Cardholder Data. In this course, I bring together the theoretical knowledge of PCI DSS requirements 7, 8, and 9, along with practical experience of how the standard really works. ‑And I'm Jacob Ansari. I'm a qualified security assessor, or QSA, with Schellman & Company, and I'm qualified to assess many of the PCI standards, including PCI DSS, PA‑DSS, and P2PE. I've been an assessor for 14 years and have been doing this since the predecessor standards to PCI DSS. ‑In this course, we will cover the authorizational and authentication‑related requirements of PCI DSS. So that's things like least privilege, access control, passwords, and multi‑factor authentication. ‑As well as looking at logical access controls, we're going to find out about the physical security requirements in DSS, ranging from simple things, such as visitor control and secure buildings to how to prevent skimming and tampering attacks against devices that read payment cards. ‑For each PCI DSS requirement, I'm going to cover what the standard says, what it means, and what will be assessed by QSA. Then Jacob and I will discuss some of the key practical aspects of getting compliance and being assessed. ‑Ideally, you'll already understand the basics of payment card processing and PCI DSS, but if you just want to get to grips with the requirement, you'll be able to jump straight in with no problems. By the end of this course, you'll have a great understanding of both the theory and the practice to help you restrict access to cardholder data following the PCI DSS requirements. ‑We do hope you'll join us to learn the theory and practice behind PCI DSS requirements 7, 8, and 9 with the PCI DSS: Restricting Access to Cardholder Data course, here, at Pluralsight.