PCI DSS 7.2.4: Review User Access Semi-Annually
PCI DSS 7.2.4 requires organizations to audit all user accounts and access privileges at least twice yearly to identify and remediate unauthorized or excessive permissions. This control is critical for preventing unauthorized data access and maintaining a clean authorization matrix. Without systematic semi-annual reviews, stale accounts and privilege creep create persistent security gaps that auditors will flag.
What this means
Every six months, you must conduct a formal review of all active user accounts and the access privileges assigned to each one. This includes evaluating whether users still need their current permissions, whether permissions align with job responsibilities, and whether any accounts should be disabled. The review must be documented and include sign-off from appropriate managers or system owners confirming that access levels remain appropriate.
How to comply
- 1.Generate a complete inventory of all user accounts across systems that store or process cardholder data
- 2.Document the access privileges assigned to each account, including system access, data permissions, and administrative rights
- 3.Distribute access lists to department managers and system owners for review and validation
- 4.Require managers to confirm in writing that each user's access remains necessary for their current job function
- 5.Identify and document any accounts with excessive privileges or accounts for departed employees
- 6.Remove or modify inappropriate access and disable unused accounts
- 7.Retain evidence of the review including account listings, manager sign-offs, and remediation records
- 8.Schedule the next review six months from completion and maintain a review calendar
Evidence auditors look for
- Dated access review documentation showing all user accounts and their assigned privileges
- Email confirmations or signed attestations from managers validating access appropriateness
- Change tickets or system logs showing removal of inappropriate access or disabled accounts
- Access control matrix or report generated from IAM system with review date and approver signature
- Spreadsheet or database export listing users, departments, systems accessed, and privilege levels reviewed
- Remediation tickets documenting actions taken to revoke excessive or unnecessary access
- Review scheduling calendar or project plan confirming semi-annual frequency
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the user access review workflow by generating current access reports on demand, routing them to managers for sign-off with built-in tracking, and maintaining a compliance calendar to ensure reviews happen every six months without manual reminders.
See how GRCWatch handles this control automatically
Start free trial