Frequently Asked Question

What is an "inactive user account" as used in PCI DSS Requirement 8?
An inactive user account is one that has not been used in over 90 days. Inactive accounts are often targets for attackers since they are generally not monitored, and changes to the accounts (such as a changed password) could easily go unnoticed.
Removing or disabling inactive accounts reduces the risk that they will be used to gain unauthorized access to the environment.
Note: The specific sub requirement number(s) and terminology may vary depending on the version of the standard being used.
August 2022
Article Number: 1066
Related
Featured FAQ Articles
Most Recently Updated
-
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?