Secure > Overview: WebSphere Commerce and the PCI Data Security Standard > Address the PCI Data Security Standard within WebSphere Commerce
Requirement 7: Restrict access to cardholder data by business need to know
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:
- 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities
- 7.1.2 Assignment of privileges is based on individual personnel's job classification and function
- 7.1.3 Requirement for an authorization form signed by management that specifies required privileges
- 7.1.4 Implementation of an automated access control system
WebSphere Commerce has an extremely powerful, flexible, and customizable access control mechanism. This automated mechanism assigns privileges based on the role(s) assigned to the user ID.
To comply with 7.1.3, ensure that an authorization form is required for all access. WebSphere Commerce does not provide this form.
For a complete overview of access control, see:
7.2 Establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system must include the following:
- 7.2.1 Coverage of all system components
- 7.2.2 Assignment of privileges to individuals based on job classification and function
- 7.2.3 Default "deny-all" setting
Policy Manager is the access control component that determines whether or not the current user is allowed to execute the specified action on the specified resource, according to their job role. User IDs that are not assigned a job role, are denied all access by default unless you modify the default access control policies.
Access control policies are specified in XML format. During instance creation, the default policies and policy groups are loaded into the appropriate database tables. When WebSphere Commerce Application Server is started up, the access control information is cached in memory so that Policy Manager can quickly check a users authorization when called to do so.
Previous topic: Requirement 6: Develop and maintain secure systems and applications
Next topic: Requirement 8: Assign a unique ID to each person with computer access