GRCWatch
Sign inStart free trial

PCI DSS 7.3.3: Set Access Control Systems to Deny by Default

A deny-by-default access control system is foundational to PCI DSS compliance and reduces your attack surface by rejecting all access unless explicitly granted. This control prevents unauthorized access to critical systems and cardholder data by inverting the traditional approach: nothing is permitted until proven necessary. For SMBs managing payment card data, implementing this principle is non-negotiable.

What this means

Deny-by-default, also known as 'principle of least privilege,' means your access control system automatically rejects all access requests unless you've explicitly granted permission. Rather than maintaining a blocklist of denied users or resources, you maintain an allowlist of approved access. This shifts the security burden from reactive blocking to proactive permission granting, ensuring only authorized users can reach sensitive systems and data.

How to comply

  1. 1.Audit all current access control policies and identify exceptions or overly permissive rules
  2. 2.Document all legitimate access requirements for each user role and system
  3. 3.Reconfigure access control lists (ACLs) and firewall rules to deny all traffic by default
  4. 4.Create explicit allow rules only for necessary, documented access paths
  5. 5.Implement role-based access control (RBAC) with minimal default permissions per role
  6. 6.Test all legitimate access flows to ensure business-critical systems remain functional
  7. 7.Monitor and log all access attempts, both denied and allowed
  8. 8.Review and update access rules quarterly or when business requirements change

Evidence auditors look for

  • Firewall configuration screenshots showing default-deny rules with explicit allow statements
  • Network segmentation diagrams documenting restricted access zones
  • Access control list (ACL) configurations for databases, file servers, and applications
  • RBAC policy documentation defining permissions per role
  • Access review logs showing approval records for granted permissions
  • Denial logs demonstrating rejected unauthorized access attempts
  • Change management records for access policy modifications
  • Quarterly access reviews with sign-off from system owners

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps your access control configurations to PCI DSS 7.3.3 requirements, identifies overly permissive rules, and tracks evidence of deny-by-default policies—eliminating manual audits and reducing compliance overhead.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1 (Limit access by business need)PCI DSS 7.2 (Restrict physical access)PCI DSS 8.1 (Unique user identification)PCI DSS 8.2 (Authentication mechanisms)