Access Control Policy
Controls for access, approval, least privilege, and periodic review under PCI DSS Requirement 7.
Access Control Policy (PCI DSS Requirement 7)
Updated: January 1, 2026
Approved By: Jennifer Lyssy, CEO
1. Purpose
This policy defines how access to systems and data is granted, managed, and reviewed based on business need-to-know and least privilege principles.
2. Scope
Applies to all users, systems, and data within the organization, including third-party access.
3. Policy Statement
Botanic, LLC restricts access to system components and cardholder data based on job responsibilities and business necessity.
4. Roles and Responsibilities
Management
Approves access rights
Reviews access periodically
Security Officer / IT Lead
Manages access control processes
Conducts access reviews
Personnel
Use access only for authorized purposes
5. Access Control Model
Access is granted based on:
Job role
Business need
Least privilege is enforced:
Users receive only the minimum access required
6. Default Deny
All systems are configured to:
Deny access by default unless explicitly authorized
7. User Access Management
Access must be:
Approved before granting
Documented
Applies to:
Employees
Contractors
Vendors
8. Access Reviews (CRITICAL)
Conducted at least every 6 months
Includes:
All user accounts
Administrative access
Third-party access
Ensures:
Access is still appropriate
Unnecessary access is removed
Management approval is documented
9. Third-Party Access
Third-party access must:
Be limited to business need
Be time-bound
Be disabled when not in use
10. Access Revocation
Access must be removed:
Immediately upon termination
When roles change
11. Policy Review
Reviewed annually and updated as needed.
12. Compliance
Failure to comply may result in disciplinary action.
