GRCWatch
Sign inStart free trial

PCI DSS 7.1.3: Defining an Access Control Model with Least Privilege

PCI DSS 7.1.3 requires you to define a formal access control model that enforces least privilege, need-to-know principles, and segregation of duties. Without a documented model, your organization risks unauthorized access to cardholder data and audit failures. This control is foundational—get it right and everything else becomes easier.

What this means

An access control model is a documented framework that defines how users, administrators, and systems are granted permissions across your environment. It must incorporate three core principles: least privilege (users receive only the minimum access needed), need-to-know (access is restricted by role and business function), and segregation of duties (no single person controls a complete transaction or sensitive process). This model applies to all systems handling, storing, or transmitting cardholder data.

How to comply

  1. 1.Document your access control model in a written policy, including the principles of least privilege, need-to-know, and segregation of duties.
  2. 2.Define role-based access control (RBAC) or attribute-based access control (ABAC) that maps job functions to specific permissions.
  3. 3.Identify critical duties that must be segregated (e.g., approval and execution, authorization and reconciliation, coding and testing).
  4. 4.Map each user role to the minimum set of access rights required to perform their job.
  5. 5.Define how new users are granted access (provisioning) and how access is revoked when roles change or employment ends (deprovisioning).
  6. 6.Review and update the access control model annually and whenever significant business or system changes occur.
  7. 7.Communicate the model to relevant stakeholders and ensure it is enforced through identity and access management (IAM) systems.

Evidence auditors look for

  • Signed and dated access control policy document describing least privilege, need-to-know, and segregation of duties principles.
  • Role-based access control matrix showing job functions, associated roles, and specific system permissions.
  • Examples of segregated duties (e.g., separate approvers and executors in payment processing workflows).
  • Access provisioning and deprovisioning procedures with approval workflows.
  • Documentation of annual access control model reviews with dates and personnel signatures.
  • IAM system reports showing role assignments and permission mappings aligned to the documented model.
  • Change log showing updates to the access control model and reasons for modifications.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch maps your user roles and permissions automatically from active systems, generates a visual access control matrix aligned to PCI DSS 7.1.3, and flags segregation-of-duty violations in real time—eliminating manual spreadsheets and compliance gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1.1 — Restrict access based on business needPCI DSS 7.1.2 — Provide access only to cardholder data environmentPCI DSS 8.2 — Ensure user identity is verified before modifying authentication credentialsPCI DSS 8.3 — Restrict access to cardholder data by user ID and authentication