PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

by Randy Bartels / December 21st, 2017

Are User Accounts Actively In Use?

PCI Requirement 8.1.4 calls out the need to remove/disable inactive user accounts within 90 days. Sounds pretty straightforward, right? PCI Requirement 8.1.4 is where a lot of organizations tend to struggle. It’s not about if the user has been terminated or left your organization, it’s about if the account has been actively in use. Extended vacations, sabbaticals, maternity leaves, medical leaves – factors like these play into whether or not an account is actively in use. Even with legitimate reasons for not using an account, your organization still needs to remove/disable inactive user accounts within 90 days. If someone is still employed, still active, but just not using an account, then that individual should have never been given access to the account.

Why are inactive accounts harmful to cardholder data? The PCI DSS explains, “Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data.” PCI Requirement 8.1.4 places further protection on cardholder data.

PCI Requirements 8.1.1 through 8.1.3 play large roles in PCI Requirement 8.1.4 compliance. Your organization must give unique user IDs in order to track which users are performing specific actions. You must manage the addition, deletion, and modification of user IDs and credentials so that you know who receives privileged access. You must promptly revoke access for terminated users. Without any of these controls in place, you cannot identify inactive user accounts, so you cannot remove/disable inactive user accounts within 90 days.

We recommend that you have a relationship between your organization’s HR department and IT department. You must have a process in place so that HR notifies IT of any extended leave of absence so that the IT department can manage this control and remove/disable inactive user accounts within 90 days.

In a previous video, we talked about the need to control the move, add, change of accounts. When we get to PCI Requirement 8.1.4, it says that we either need to remove or disable any inactive account that’s been inactive for longer than 90 days.

This is one requirement that most organizations really struggle with. We find that’s because the requirement is not about if the employee has been terminated, it’s about if the account has not been used. If you’ve given permissions for somebody to use an account to access an environment and they have not used that account within 90 days, we expect for that account to either be disabled or removed.

Where we have struggles here is where we have people that go on an extended vacation, a woman on maternity leave, or a multitude of other things that would cause an account to not be used. One of the things that we would recommend you do, from an organizational perspective, is that you have a hook from your HR department into your IT department. When someone is going to take an extended leave of absence or be gone for an extended period of time, HR notifies the IT department so that they can manage this particular control.

Subsequent to that, there are people that are still employed or active but they’re just not using these accounts. Somehow, we have to measure whether or not these accounts have been used. It gets really difficult if you’re using your own homegrown authentication mechanism. Has this account been used? Sometimes, there’s no way to tell. But at the end of the day, if the account has not been used in the last 90 days, it needs to be disabled or removed.

From an assessment perspective, KirkpatrickPrice has a lot of scripts that they will likely provide you, which will pull a lot of this information to automate the audit process for you. It tells us whether or not you have accounts that haven’t been used in the last 90 days.