7.2.2 Assignment of privileges to individuals based on job classification and function.
7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. An access control system automates the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access.
Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.