PCI DSS 8.2.4: Authorize Account Additions and Deletions
User account lifecycle management is a critical control point in PCI DSS compliance. Control 8.2.4 requires formal authorization procedures for adding, modifying, and removing user IDs and credentials to prevent unauthorized access and privilege escalation. Organizations must establish clear approval workflows and audit trails for all account changes.
What this means
This control mandates that every addition, deletion, or modification of user accounts, credentials, and identifier objects requires documented authorization from appropriate management before implementation. The control ensures accountability by creating an audit trail of who approved what changes and when, preventing unauthorized or rogue account creation that could lead to data breaches.
How to comply
- 1.Define formal approval workflows for account creation, deletion, and modification requests
- 2.Assign authorization responsibility to designated managers or identity administrators
- 3.Document all account lifecycle requests with requester, approver, date, and business justification
- 4.Implement a ticketing or change management system to track authorization status
- 5.Require written or digitally signed approval before provisioning or deprovisioning accounts
- 6.Maintain audit logs showing who authorized each change and when it was executed
- 7.Review and test authorization procedures during quarterly compliance assessments
- 8.Remove access immediately upon termination with documented authorization trail
Evidence auditors look for
- Change management tickets showing approval signatures for new user accounts
- Authorization forms with manager sign-off prior to account deletion
- Identity access management (IAM) system audit logs showing approval workflow completion
- Employee termination checklist documenting account removal authorization
- Role-based access control (RBAC) policies defining who can authorize account changes
- Segregation of duties evidence showing request, approval, and implementation steps
- Email trails or workflow system records documenting the authorization chain
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates user account authorization workflows by capturing change requests, routing them to designated approvers, and maintaining tamper-proof audit logs—eliminating manual spreadsheets and ensuring every account addition or deletion is properly authorized and documented for PCI audits.
See how GRCWatch handles this control automatically
Start free trial