My company is a 'solution provider' that will be adding a credit card transaction to our system in the next few months.

Concerning requirement 7.1.

Should / Can a DBA have access to the encrypted CHD data stored in the database? My gut instinct is NO. I'd just like to have a Security Guru's opinion on the matter.

This will be a determining factor over using SQL Server 2008 TDE or column-level encryption.

Thanks,
Elizabeth
Database Administrator

This answer requires less security guru and more understanding of the PCI DSS objectives. From a security perspective your company needs to evaluate the risk. That being said, from a PCI compliance perspective it is not a compliant issue IF additional controls are in place. This was an issue brought up by a QSA who was telling their merchant that they could not use Vormetric and had to use a column level solution. If you can minimize the exposure to a single trusted account and have appropriate controls, you are certainly meeting the objectives of the PCI DSS.

The PCI DSS is not intended to prevent companies from having access to data simply to control the access and protect the data. I would caution you from reading too much into the specifics of the standard. Keep in mind, that the PCI DSS still allows compensating controls for encryption. This should demonstrate that the DBA issue is not too signficiant.

I fully agree with CMark's comments. It's about understanding the objective/intent behind the requirement and evaluating the combinatory affect of controls to achieve this.