Diff: FAQ #1066

Can you define "Inactive User" as used in PCI DSS requirement 8.5.5?

Earlier Version
2008-02-24T00:00:00+00:00

Later Version
2014-05-29T00:00:00+00:00

Removed

Added

An inactive user account is one ~~whose account~~that has not been used in over 90 days. ~~Note~~Inactive accounts are often targets for attackers since they are generally not monitored, and changes to the accounts (such as a changed password) could easily go unnoticed.

Removing or disabling inactive accounts reduces the risk that ~~section~~they ~~8.5~~will ~~requirements~~be ~~only apply~~used to ~~“non-consumer~~gain ~~users” or those individuals that~~unauthorized access ~~systems within~~to the ~~cardholder~~environment.

(Note: ~~environment,~~PCI ~~including~~DSS ~~but~~Requirement ~~not~~numbers ~~limited~~refer to ~~employees,~~PCI ~~contractors,~~DSS ~~administrators,~~version ~~and other third parties.~~3)

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.