Sherri Collis & Grant Sabesky
User Accounts, Application and System Accounts, and Access Reviews
Remember the good ole days when Requirement 7 was all about general and privileged user accounts? Well, those days are done as of March 31, 2025! The Council has now added Application and System Accounts into the mix, as well as added more requirements to manage them.
General and Privileged User Accounts
Let’s start with general and privileged user accounts (Requirement 7.2.4). The big change to this requirement is that all user accounts and related access privileges, including third-party/vendor accounts, must be reviewed at least once every six months to:
- Confirm access remains appropriate,
- Inappropriate access is removed, and
- Management acknowledges access remains appropriate.
I think we can all attest that new hire user accounts and terminated user accounts are well-managed – Human Resources generally has a lot to do with this! What we find lacking during PCI assessments has to do with what happens when an employee “moves, adds, and/or changes” their role. This requirement is an attempt at ensuring the changes over an employee’s tenure with an organization are appropriate for the job they are currently in versus an accumulation of all access privileges granted to the individual throughout their employment.
The good news for some organizations is that while this is a new requirement in v4.0, you may be addressing them already as part of other certifications, (i.e., SOX, HITRUST etc.). If so, you may have already done a lot of the heavy lifting required. If not, you will need to create a process within your organization to address these requirements, and I recommend putting this process in place sooner than later – if you haven’t been doing this in your organization, the determination and cleanup of privileges may take some time.
Application and System Accounts
In v3.2.1, the application and system accounts weren’t called out in Requirement 7 other than to state the requirements did not apply to these accounts. PCI DSS v4.0 includes new requirements that introduce complexities for application and system accounts. These accounts (Requirement 7.2.5) now must address the following:
- Be based on least privileges needed for operability of the system or application,
- Access must be limited to the systems, applications, or processes that specifically require their use,
- Policies and procedures must be in place to manage and assign application and system accounts and related access privileges, and
- Evidence must be provided to the QSA so they can examine privileges associated with system and application accounts, and in interview, must be able to verify that application and system accounts and access privileges are assigned and managed in accordance with the defined policy.
This could prove to be a challenge for many entities where application and system accounts have broad or administrative privileges, non-user interactive, and non-expiring credentials. Historically, application and system accounts were granted permissions for each of the devices without regard for level of privilege needed for the action required on that particular device. These accounts were given “blanket” access versus least privilege.
As with general and privileged user accounts, entities must do the following:
- Perform a targeted risk assessment to determine frequency of risk analysis required for these accounts,
- Confirm access remains appropriate,
- Inappropriate access is addressed, and
- Management acknowledges access remains appropriate.
A Recommendation
When it comes to PCI 4.0 and changes to the accounts discussed above, we understand that addressing this requirement will be a lot of work for many organizations. We strongly recommend that before you address them, give careful consideration to how your organization can best identify, track, and manage these efforts. If available, make use of systems that are already in place, such as Jira, Aveksa, Zen, etc., which can leverage automated task scheduling or workflow functions including evidence collecting and facilitating reviews. Having tools that allow you to simplify this effort and streamline activities can give you an advantage.
Note: These requirements are best practice until 31 March 2025, after which they will be required and assessed.
As always, Online Business Systems is available to assist in helping to develop this portion of your PCI program.
For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Centre, where we have identified and dissected all of the changes and new requirements in the latest release of the PCI Standard.
Submit a Comment