7.2.4—All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months To ensure user accounts and access remain appropriate based on job function.
>Requirement Description
All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate. Applicability Notes This requirement applies to all user accounts and related access privileges, including those used by personnel and third parties/vendors, and accounts used to access third-party cloud services. See Requirements 7.2.5 and 7.2.5.1 and 8.6.1 through 8.6.3 for controls for application and system accounts. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.