A3.4.1 User accounts and access privileges to in-scope system components are reviewed at least once every six months

Defined Approach Requirements

A3.4.1 User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized.

PCI DSS Reference: Requirement 7

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.4.1 Interview responsible personnel and examine supporting documentation to verify that:

• User accounts and access privileges are reviewed at least every six months.
• Reviews confirm that access is appropriate based on job function and that all access is authorized.

Purpose

Regular review of access rights helps to detect excessive access rights remaining after user job responsibilities change, system functions change, or other modifications. If excessive user rights are not revoked in due time, they may be used by malicious users for unauthorized access.

This review provides another opportunity to ensure that accounts for all terminated users have been removed (if any were missed at the time of termination), as well as to ensure that any third parties that no longer need access have had their access terminated.