diff --git a/uc_order/src/Entity/OrderStatus.php b/uc_order/src/Entity/OrderStatus.php
index 110983f..2ecdeb8 100644
--- a/uc_order/src/Entity/OrderStatus.php
+++ b/uc_order/src/Entity/OrderStatus.php
@@ -18,6 +18,9 @@ use Drupal\uc_order\OrderStatusInterface;
  *     singular = "@count order status",
  *     plural = "@count order statuses",
  *   ),
+ *   handlers = {
+ *     "access" = "Drupal\uc_order\OrderStatusAccessControlHandler"
+ *   },
  *   admin_permission = "administer order workflow",
  *   config_prefix = "status",
  *   entity_keys = {
diff --git a/uc_order/src/OrderStatusAccessControlHandler.php b/uc_order/src/OrderStatusAccessControlHandler.php
new file mode 100644
index 0000000..da948a9
--- /dev/null
+++ b/uc_order/src/OrderStatusAccessControlHandler.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace Drupal\uc_order;
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Entity\EntityAccessControlHandler;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Defines the access control handler for Ubercart order statuses.
+ */
+class OrderStatusAccessControlHandler extends EntityAccessControlHandler {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function checkAccess(EntityInterface $order_status, $operation, AccountInterface $account) {
+    /** @var \Drupal\uc_order\OrderStatusInterface $order_status */
+
+    switch ($operation) {
+      case 'view':
+        // User can view order statuses, who has permission to view orders or has permission to administer the order workflow
+        if ($account->hasPermission('view all orders') || $account->hasPermission('view own orders') || $account->hasPermission('administer order workflow')) {
+          return AccessResult::allowed()->cachePerPermissions();
+        } else {
+          return AccessResult::forbidden()->cachePerPermissions();
+        }
+
+      case 'update':
+        // User can update an order status, if has permission to administer order workflow
+        return AccessResult::allowedIfHasPermission($account, 'administer order workflow')->cachePerPermissions()->cachePerUser();
+
+      case 'delete':
+        // User can delete an order status, if has permission to administer order workflow
+        return AccessResult::allowedIfHasPermission($account, 'administer order workflow')->cachePerPermissions()->cachePerUser();
+    }
+
+    return AccessResult::neutral();
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
+    return AccessResult::allowedIfHasPermission($account, 'administer order workflow')->cachePerPermissions();
+  }
+
+}
diff --git a/uc_order/src/Tests/OrderTest.php b/uc_order/src/Tests/OrderTest.php
index 523bed3..af2f518 100644
--- a/uc_order/src/Tests/OrderTest.php
+++ b/uc_order/src/Tests/OrderTest.php
@@ -166,9 +166,14 @@ class OrderTest extends UbercartTestBase {
   public function testOrderCustomerView() {
     $order = $this->ucCreateOrder($this->customer);
 
+    // Update the status to pending, so the user can see the order on the My order history page
+    $order->setStatusId('pending');
+    $order->save();
+
     $this->drupalLogin($this->customer);
     $this->drupalGet('user/' . $this->customer->id() . '/orders');
     $this->assertText(t('My order history'));
+    $this->assertText(t('Pending'), t('Order status is visible for the customer.'));
 
     $this->drupalGet('user/' . $this->customer->id() . '/orders/' . $order->id());
     $this->assertResponse(200, 'Customer can view their own order.');