[PCI DSS 3.0] A.1.2 Restrict each entity’s access and privileges to its own cardholder data environment only.

A.1.2 Restrict each entity’s access and privileges to its own cardholder data environment only.

A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin).
A.1.2.b Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.)
Important: An entity’s files may not be shared by group.
A.1.2.c Verify that an entity’s users do not have write access to
shared system binaries.
A.1.2.d Verify that viewing of log entries is restricted to the owning entity.
A.1.2.e To ensure each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions resulting in, for example, buffer overflows), verify restrictions are in place for the use of these system resources:
• Disk space
• Bandwidth
• Memory
• CPU

To ensure that access and privileges are restricted such that each merchant or service provider has access only to their own environment, consider the following:

  1. Privileges of the merchant’s or service provider’s web server user ID;
    
  2. Permissions granted to read, write, and execute files;
    
  3. Permissions granted to write to system binaries;
    
  4. Permissions granted to merchant’s and service provider’s log files; and
    
  5. Controls to ensure one merchant or service provider cannot monopolize system resources.