PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1066 Published

What is an "inactive user account" as used in PCI DSS Requirement 8.1.4?

An inactive user account is one that has not been used in over 90 days. Inactive accounts are often targets for attackers since they are generally not monitored, and changes to the accounts (such as a changed password) could easily go unnoticed.

Removing or disabling inactive accounts reduces the risk that they will be used to gain unauthorized access to the environment.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.