PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

PCI Requirement 8.1.4 calls out the need to remove/disable inactive user accounts within 90 days. Sounds pretty straightforward, right? PCI Requirement 8.1.4 is where a lot of organizations tend to struggle. It’s not about if the user has been terminated or left your organization, it’s about if the account has been actively in use. Extended vacations, sabbaticals, maternity leaves, medical leaves – factors like these play into whether or not an account is actively in use. Even with legitimate reasons for not using an account, your organization still needs to remove/disable inactive user accounts within 90 days. If someone is still employed, still active, but just not using an account, then that individual should have never been given access to the account.
Why are inactive accounts harmful to cardholder data? The PCI DSS explains, “Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data.” PCI Requirement 8.1.4 places further protection on cardholder data.
PCI Requirements 8.1.1 through 8.1.3 play large roles in PCI Requirement 8.1.4 compliance. Your organization must give unique user IDs in order to track which users are performing specific actions. You must manage the addition, deletion, and modification of user IDs and credentials so that you know who receives privileged access. You must promptly revoke access for terminated users. Without any of these controls in place, you cannot identify inactive user accounts, so you cannot remove/disable inactive user accounts within 90 days.
We recommend that you have a relationship between your organization’s HR department and IT department. You must have a process in place so that HR notifies IT of any extended leave of absence so that the IT department can manage this control and remove/disable inactive user accounts within 90 days.
Stay Connected

More Free Resources

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.