8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.
Defined Approach Requirements
8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.
Customized Approach Objective
Inactive user accounts cannot be used.
Defined Approach Testing Procedures
8.2.6 Examine user accounts and last logon information, and interview personnel to verify that any inactive user accounts are removed or disabled within 90 days of inactivity.
Purpose
Accounts that are not used regularly are often targets of attack since it is less likely that any changes, such as a changed password, will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data.
Good Practice
Where it may be reasonably anticipated that an account will not be used for an extended period of time, such as an extended leave of absence, the account should be disabled as soon as the leave begins, rather than waiting 90 days.
purpose
Enable accounts only as needed and disable when not in use.
compliance strategies
- Just-in-time account enablement
- Account disablement automation
typical policies
- Account Enablement Policy
common pitfalls
- Dormant accounts left enabled
type
Technical/Process Control
difficulty
Low
key risks
- Dormant accounts exploited
recommendations
- Monitor for inactive accounts
Eligible SAQ
- SAQ-A-EP
- SAQ-C
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy