PCI DSS 8.2.6: Remove or Disable Inactive Accounts After 90 Days
Inactive user accounts represent a significant security risk in payment environments, as dormant credentials can be exploited without detection. PCI DSS 8.2.6 requires organizations to remove or disable any user accounts that remain inactive for 90 days or longer. This control strengthens access management by ensuring only active, monitored users retain system privileges.
What this means
This control mandates that your organization must systematically identify, track, and act upon user accounts showing no activity within a 90-day window. Accounts must either be removed entirely from the system or disabled to prevent unauthorized access. The 90-day threshold applies to all user accounts across cardholder data environment (CDE) systems and related infrastructure.
How to comply
- 1.Enable user account activity logging across all CDE systems to track login and access timestamps
- 2.Establish a documented process that identifies accounts inactive for 90+ days on a regular schedule
- 3.Review inactive accounts and notify account owners to confirm whether the account should remain active
- 4.Disable or remove confirmed inactive accounts within a defined timeframe after the 90-day threshold
- 5.Maintain audit trails documenting all account removal/disablement actions including date, reason, and approver
- 6.Communicate account status changes to system administrators and security teams
- 7.Periodically validate that disabled accounts are inaccessible and cannot be reactivated without proper authorization
Evidence auditors look for
- User account activity reports showing last login dates and removal/disablement dates
- Documented procedures for inactive account identification and management
- Access control system logs demonstrating account status changes
- Approval records for account removal or disablement decisions
- Archived reports from quarterly or monthly inactive account reviews
- System configuration settings enforcing the 90-day inactivity threshold
- Notification records sent to account owners prior to account removal
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates inactive account detection and generates removal reports on a configurable schedule, eliminating manual account reviews and ensuring your organization stays audit-ready for PCI DSS 8.2.6.
See how GRCWatch handles this control automatically
Start free trial