GRCWatch
Sign inStart free trial

PCI DSS 7.1.5: Semi-Annual Review of User Accounts and Privileges

PCI DSS 7.1.5 requires organizations to review all user accounts and their access privileges—including third-party and vendor accounts—at least twice per year. This foundational access control prevents unauthorized or excessive permissions from persisting in your environment. Staying on top of account audits is critical for detecting dormant accounts, privilege creep, and rogue access before they become security vulnerabilities.

What this means

This control mandates a formal, documented review of every active user account and the privileges assigned to it within a six-month cycle. The review must cover internal employees, contractors, third-party vendors, and system accounts. The goal is to ensure that access rights remain appropriate, necessary, and aligned with job responsibilities—and to identify and remediate accounts that no longer require system access.

How to comply

  1. 1.Generate a complete inventory of all active user accounts across systems in scope, including internal staff, vendors, contractors, and service accounts.
  2. 2.Document the access privileges and permissions assigned to each account, mapping them to specific systems, applications, and data.
  3. 3.Verify that each account's access level matches the user's current role and business function.
  4. 4.Identify and flag accounts with excessive, dormant, or orphaned privileges—including those inherited from role changes or departures.
  5. 5.Review third-party and vendor accounts separately to confirm they retain only the minimum access required for their contracted services.
  6. 6.Document all findings, including accounts flagged for removal or privilege reduction.
  7. 7.Remove or disable accounts no longer required; revoke or reduce excessive privileges.
  8. 8.Schedule and conduct a second review within the same calendar year (minimum two reviews per 12 months).
  9. 9.Maintain signed evidence of each review, including who performed it, when it was completed, and what actions were taken.

Evidence auditors look for

  • Signed and dated user access review reports showing account inventory, assigned privileges, and validation of appropriateness.
  • System access reports or IAM output listing all active users, roles, and permission assignments.
  • Documentation of accounts removed or privileges reduced as a result of the review.
  • Approval sign-offs from system owners or managers confirming access levels are correct.
  • Evidence of at least two separate reviews completed within a 12-month period.
  • Third-party/vendor account review summaries with scope of access and business justification.
  • Remediation logs showing follow-up actions taken on findings from prior reviews.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates account inventory collection and privilege mapping across your systems, then alerts you when reviews are due and tracks completion of both annual reviews—eliminating the manual spreadsheet scramble and ensuring you never miss a PCI DSS 7.1.5 deadline.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1.1 — Limit Access by Business NeedPCI DSS 7.1.3 — Remove/Adjust Access When Employee LeavesPCI DSS 8.1.4 — Remove Inactive User AccountsPCI DSS 8.2.3 — Password Change Requirements