GRCWatch
Sign inStart free trial

PCI DSS 7.2.5.1: Periodic Review of System Account Access

PCI DSS 7.2.5.1 requires organizations to periodically review all access granted to application and system accounts, ensuring privileges remain appropriate and unnecessary access is revoked. Regular access reviews are a critical control to prevent unauthorized activities and detect dormant or compromised accounts before they become security risks.

What this means

This control mandates that you establish and maintain a documented process for reviewing system and application account access on a recurring schedule. The review must verify that each account's privileges align with its current business purpose, that no excessive permissions exist, and that inactive or obsolete accounts are identified and removed. This applies to both user-created accounts and service accounts used by applications.

How to comply

  1. 1.Document a formal access review policy defining frequency (quarterly minimum recommended), scope, and responsible parties
  2. 2.Create an inventory of all system and application accounts with their assigned privileges and business justification
  3. 3.Perform periodic access reviews by comparing current privileges against the documented inventory and current job requirements
  4. 4.Identify and document accounts with excessive privileges, inactive status, or outdated business purpose
  5. 5.Remove or revoke unnecessary access and update account privileges to the principle of least privilege
  6. 6.Obtain evidence of review completion including dates, reviewer names, accounts examined, and actions taken
  7. 7.Maintain records of all access reviews for audit and compliance verification

Evidence auditors look for

  • Documented access review policy with defined frequency and methodology
  • System and application account inventory with privilege levels and business justification
  • Signed or approved access review reports showing accounts reviewed and dates
  • Access privilege change logs corresponding to review findings
  • Documentation of removed or disabled accounts with justification
  • Exception logs for accounts requiring elevated privileges with management approval
  • Screenshots or exports from directory services or privilege management tools showing current access state

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates system account discovery, tracks access privilege changes in real-time, and generates periodic access review reports with one click—eliminating manual spreadsheet tracking and ensuring no accounts slip through reviews.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 7.1 — Limit access to system components and cardholder dataPCI DSS 7.2.1 — Access control implementation through systems and databasesPCI DSS 8.1 — User identification and authentication mechanismsPCI DSS 8.2 — User access provisioning and deprovisioning procedures