Remember the good ole days when Requirement 7 was all about general and privileged user accounts? Well, those days are done as of March 31, 2025!
On March 31st, 2022 PCI DSS v4.0 was released. Today’s post is part of series of pieces we are publishing that explore the changes to the PCI standard and provide insight into what the changes will mean for your organization. All of our posts can be found here.
User Accounts, Application and System Accounts, and Access Reviews
Remember the good ole days when Requirement 7 was all about general and privileged user accounts? Well, those days are done as of March 31, 2025! The Council has now added Application and System Accounts into the mix, as well as added more requirements to manage them.
Let’s start with general and privileged user accounts (Requirement 7.2.4). The big change to this requirement is that all user accounts and related access privileges, including third-party/vendor accounts, must be reviewed at least once every six months to:
I think we can all attest that new hire user accounts and terminated user accounts are well-managed – Human Resources generally has a lot to do with this! What we find lacking during PCI assessments has to do with what happens when an employee “moves, adds, and/or changes” their role. This requirement is an attempt at ensuring the changes over an employee’s tenure with an organization are appropriate for the job they are currently in versus an accumulation of all access privileges granted to the individual throughout their employment.
The good news for some organizations is that while this is a new requirement in v4.0, you may be addressing them already as part of other certifications, (i.e., SOX, HITRUST etc.). If so, you may have already done a lot of the heavy lifting required. If not, you will need to create a process within your organization to address these requirements, and I recommend putting this process in place sooner than later – if you haven’t been doing this in your organization, the determination and cleanup of privileges may take some time.
In v3.2.1, the application and system accounts weren’t called out in Requirement 7 other than to state the requirements did not apply to these accounts. PCI DSS v4.0 includes new requirements that introduce complexities for application and system accounts. These accounts (Requirement 7.2.5) now must address the following:
This could prove to be a challenge for many entities where application and system accounts have broad or administrative privileges, non-user interactive, and non-expiring credentials. Historically, application and system accounts were granted permissions for each of the devices without regard for level of privilege needed for the action required on that particular device. These accounts were given “blanket” access versus least privilege.
As with general and privileged user accounts, entities must do the following:
When it comes to PCI 4.0 and changes to the accounts discussed above, we understand that addressing this requirement will be a lot of work for many organizations. We strongly recommend that before you address them, give careful consideration to how your organization can best identify, track, and manage these efforts. If available, make use of systems that are already in place, such as Jira, Aveksa, Zen, etc., which can leverage automated task scheduling or workflow functions including evidence collecting and facilitating reviews. Having tools that allow you to simplify this effort and streamline activities can give you an advantage.
Note: These requirements are best practice until 31 March 2025, after which they will be required and assessed.
As always, Online Business Systems is available to assist in helping to develop this portion of your PCI program.
For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Centre, where we have identified and dissected all of the changes and new requirements in the latest release of the PCI Standard.