GRCWatch
Sign inStart free trial

PCI DSS 7.2.4: Review User Access Semi-Annually

PCI DSS 7.2.4 requires organizations to audit all user accounts and access privileges at least twice yearly to identify and remediate unauthorized or excessive permissions. This control is critical for preventing unauthorized data access and maintaining a clean authorization matrix. Without systematic semi-annual reviews, stale accounts and privilege creep create persistent security gaps that auditors will flag.

What this means

Every six months, you must conduct a formal review of all active user accounts and the access privileges assigned to each one. This includes evaluating whether users still need their current permissions, whether permissions align with job responsibilities, and whether any accounts should be disabled. The review must be documented and include sign-off from appropriate managers or system owners confirming that access levels remain appropriate.

How to comply

  1. 1.Generate a complete inventory of all user accounts across systems that store or process cardholder data
  2. 2.Document the access privileges assigned to each account, including system access, data permissions, and administrative rights
  3. 3.Distribute access lists to department managers and system owners for review and validation
  4. 4.Require managers to confirm in writing that each user's access remains necessary for their current job function
  5. 5.Identify and document any accounts with excessive privileges or accounts for departed employees
  6. 6.Remove or modify inappropriate access and disable unused accounts
  7. 7.Retain evidence of the review including account listings, manager sign-offs, and remediation records
  8. 8.Schedule the next review six months from completion and maintain a review calendar

Evidence auditors look for

  • Dated access review documentation showing all user accounts and their assigned privileges
  • Email confirmations or signed attestations from managers validating access appropriateness
  • Change tickets or system logs showing removal of inappropriate access or disabled accounts
  • Access control matrix or report generated from IAM system with review date and approver signature
  • Spreadsheet or database export listing users, departments, systems accessed, and privilege levels reviewed
  • Remediation tickets documenting actions taken to revoke excessive or unnecessary access
  • Review scheduling calendar or project plan confirming semi-annual frequency

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the user access review workflow by generating current access reports on demand, routing them to managers for sign-off with built-in tracking, and maintaining a compliance calendar to ensure reviews happen every six months without manual reminders.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1 — Restrict access to cardholder data by business needPCI DSS 7.2.1 — Establish user access proceduresPCI DSS 7.2.2 — Assign access based on documented need-to-knowPCI DSS 7.2.3 — Restrict access to privileged user IDsPCI DSS 8.1.4 — Remove/disable user accounts within one day