PCI Requirement 12.5.4 – Administer User Accounts, Including Additions, Deletions, and Modifications

by Randy Bartels / July 3rd, 2018

Someone to Administer User Accounts

In PCI Requirement 8.1.2, we learned there must be a formal program of control for additions, deletions, and modifications of user IDs and other credentials. This ties right in with PCI Requirement 12.5.4, which states there must be someone assigned to administer user accounts, including additions, deletions, and modifications. Think about all of the additions, deletions, and modifications that has occurred within your organization in the last year: new hires, terminations, quitting, promotions, or a change in role. You must to ensure that the privileges that an individual has been assigned are the privileges that they actually need, but those privileges do not exceed what is required by their job.

For this role, it’s important that organizations develop transition and/or succession plans to avoid potential gaps in this security assignments, which could result in used IDs and credentials being left out-of-date.

PCI Requirement 12.5.4 establishes that somebody needs to be assigned the responsibility of your move, add, and change functions of all of your user accounts within the environment. Somebody needs to be actively removing individuals that have been terminated. Somebody needs to be removing or disabling accounts that haven’t been used in the last 90 days. The assessor going to be looking for who is responsible for this. For all of these requirements, the assignment can be given to an individual, a title, or a group of people, as long as these particular roles have been disseminated in being managed.