7.2.5.1 All access by application and system accounts and related access privileges are reviewed as follows:

Defined Approach Requirements

7.2.5.1 All access by application and system accounts and related access privileges are reviewed as follows:

• Periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
• The application/system access remains appropriate for the function being performed.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.

Customized Approach Objective

Application and system account privilege assignments are verified periodically by management as correct, and nonconformities are remediated.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

7.2.5.1.a Examine policies and procedures to verify they define processes to review all application and system accounts and related access privileges in accordance with all elements specified in this requirement.

7.2.5.1.b Examine the entity's targeted risk analysis for the frequency of periodic reviews of application and system accounts and related access privileges to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1.

7.2.5.1.c Interview responsible personnel and examine documented results of periodic reviews of system and application accounts and related access privileges to verify that the reviews occur in accordance with all elements specified in this requirement.

Purpose

Regular review of access rights helps to detect excessive access rights remaining after system functions change, or other application or system modifications occur. If excessive rights are not removed when no longer needed, they may be used by malicious users for unauthorized access.