TL;DR: Quarterly PCI DSS access reviews fail when organisations rely on spreadsheets, miss dormant accounts, and overlook service accounts inside the cardholder data environment, according to Zluri. The real issue is not review cadence alone but whether discovery, evidence, and remediation are closed-loop enough to survive QSA scrutiny.
At a glance
What this is: This is a PCI DSS access review analysis showing why quarterly validation often fails on dormant accounts, service accounts, and incomplete cardholder data environment scoping.
Why it matters: It matters because IAM teams must govern human, NHI, and service-account access together when payment data is in scope, or compliance evidence breaks at the same point operational control does.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
👉 Read Zluri's analysis of PCI DSS quarterly access reviews and CDE scope
Context
PCI DSS access reviews are a governance control, not just an audit task. The article shows that quarterly review failures usually come from incomplete scoping, stale access, and weak evidence handling, especially where the cardholder data environment includes human users, service accounts, and exported data paths.
For IAM and IGA teams, the key lesson is that PCI compliance breaks when access governance is not continuous enough to detect dormant accounts and offboard users fast enough. The control problem is broader than review frequency because it also depends on discovery, lifecycle handling, and system-generated evidence.
Key questions
Q: What breaks when PCI access reviews are still managed in spreadsheets?
A: Spreadsheet-driven PCI access reviews usually break on evidence integrity, timing, and completeness. They cannot reliably prove who reviewed which account, when the review happened, or whether revocations were actually executed. That makes it hard to satisfy QSA scrutiny, especially when the CDE includes multiple systems and service accounts.
Q: Why do dormant accounts create PCI DSS compliance failures so quickly?
A: Dormant accounts become a PCI issue because requirement 8.1.4 is based on a hard inactivity threshold. If an account remains active for more than 90 days without review or removal, it is already non-compliant, even if the next quarterly review eventually finds it. The control must detect inactivity before the threshold passes.
Q: What do security teams get wrong about service accounts in PCI environments?
A: Teams often treat service accounts as infrastructure details instead of identities that require review. That is a mistake because service accounts can still access cardholder data, and they rarely fit human review workflows. They need explicit ownership, purpose, and inclusion in the same governance scope as user accounts.
Q: Who is accountable when PCI access reviews are incomplete or late?
A: Accountability sits with the organisation that stores, processes, or transmits card data, even if review work is delegated to operations or a vendor platform. QSAs assess whether the control exists, whether evidence is complete, and whether dormant or excessive access was removed on time. Delegation does not shift responsibility.
Technical breakdown
Cardholder data environment scope and access review boundaries
PCI access review work starts with scoping the cardholder data environment, or CDE, which includes every system that stores, processes, or transmits card data. The article shows why CDE scope often expands beyond payment gateways into support tools, staging systems, reports, backups, and infrastructure that teams do not initially classify as in-scope. Once data reaches those systems, every identity with access becomes part of the quarterly review population. That makes scope control a discovery problem as much as an access problem.
Practical implication: Practitioners need continuous discovery of systems and data flows before they can trust any quarterly access review list.
Dormant accounts, offboarding, and the 90-day rule
PCI DSS requirement 8.1.4 is operationally strict because accounts inactive for 90 days must be disabled or removed. The article shows why this is hard: HR may know who left, but it does not know when a payment-related account stopped being used, and manual review cycles often identify stale access only after the threshold has already passed. This is a lifecycle failure, not just a review failure, because access outlives employment changes, role changes, and system usage changes.
Practical implication: Teams need offboarding and inactivity detection that work before the 90-day threshold is breached, not after an audit finds it.
QSA evidence, spreadsheets, and tamper-evident review logs
QSAs test whether access reviews are provable, not merely performed. The article explains that spreadsheets fail because they are easy to alter, do not prove who reviewed what, and do not preserve the sequence of review and remediation actions. System-generated logs with timestamps, reviewer identity, and before-and-after records create a defensible chain of evidence. In practice, evidence quality is part of the control itself because weak evidence makes a valid review indistinguishable from a superficial one.
Practical implication: Replace manual spreadsheet workflows with review evidence that is immutable, timestamped, and directly tied to system changes.
Threat narrative
Attacker objective: The objective is to keep or expand access to cardholder data long enough to extract, misuse, or expose it without being caught by quarterly governance controls.
- Entry occurs when cardholder data is copied into systems outside the original payment boundary, such as support tools, staging databases, or reporting exports.
- Credential access or abuse happens when human accounts, contractors, and service accounts retain permissions after they should have been removed or reviewed.
- Impact follows when dormant or over-scoped access remains available long enough to expose cardholder data and trigger PCI non-compliance, penalties, or payment interruption.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
PCI access reviews fail when the CDE is treated as a static inventory. The article shows that cardholder data spreads into support tools, staging environments, reports, and backups long before the next quarterly review starts. That means the review population is already stale when the cycle begins, which turns compliance into a retrospective exercise. For identity governance, the practical implication is that scoping must be continuous, not quarterly.
Service-account blind spots are the hidden governance fault line in PCI programmes. The article's strongest operational signal is that teams remember employee accounts and forget automation identities, even though those accounts can still touch cardholder data. That is a classic NHI governance failure, because service accounts do not fit human review assumptions and do not surface through manager-based certification. Practitioners need to treat service accounts as first-class review subjects, not exceptions.
Quarterly review cadence does not compensate for weak offboarding discipline. The article shows that inactive accounts can sit beyond the 90-day threshold because access removal lags employment change, leave status, or role change. This is not a review-only problem, it is lifecycle drift across joiner-mover-leaver processes. The implication is that PCI compliance depends on tighter identity lifecycle governance than most organisations currently maintain.
Closed-loop evidence is now part of the control, not a reporting afterthought. QSAs are not just checking whether someone clicked approve, they are checking whether the approval was tied to a system-generated record that proves review, remediation, and current state. Spreadsheet-based governance cannot carry that burden at scale. Practitioners should view evidence integrity as a core requirement of access governance architecture.
Quarterly validation exposes a broader identity maturity gap than PCI alone. The same weaknesses that break PCI reviews also indicate weak visibility, poor offboarding, and incomplete ownership across human and non-human identities. The article therefore points beyond compliance mechanics to governance maturity. Teams that still manage these reviews manually are likely carrying the same blind spots into other regulated identity processes, including SOX, SOC 2, and cloud access reviews.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks.
- For the broader identity lifecycle context, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the review, rotation, and offboarding patterns that underpin sustainable governance.
What this signals
PCI review maturity is a proxy for broader identity control maturity. If an organisation cannot produce QSA-ready evidence for quarterly access reviews, it will usually struggle with the same lifecycle discipline in adjacent programmes. The issue is not just PCI reporting, it is whether discovery, ownership, and remediation are integrated enough to keep human and non-human access aligned with current risk.
Service-account governance is where many compliance programmes quietly fail. That gap becomes more visible as applications, reporting jobs, and support tooling accumulate access outside the original payment boundary. For teams already dealing with machine identities, the lesson is to extend governance from user certification to workload and automation identities before audit season exposes the blind spot.
Quarterly certification should be treated as an outcome of continuous identity hygiene, not a periodic project. The organisations that move fastest here are the ones that connect access discovery, offboarding, and evidence capture into one operating model. For practitioners, the next step is to align review cadence with the rate at which identities and in-scope systems actually change.
For practitioners
- Continuously discover CDE scope Map every system that stores, processes, or transmits card data, including support tools, staging, backups, reporting exports, and cloud infrastructure. Revalidate scope before each review cycle so the access population does not start from an outdated inventory.
- Separate human and service-account reviews Build distinct review paths for employee accounts, contractors, and service accounts so automation identities are not hidden inside human certification workflows. Require ownership, purpose, and business justification for every service account in scope.
- Automate 90-day inactivity detection Track last-login and last-use signals continuously, then flag accounts at risk before they cross the 90-day dormant threshold. Route those cases into offboarding or suspension workflows instead of waiting for quarterly sampling to find them.
- Replace spreadsheet evidence with system-generated logs Capture reviewer identity, timestamps, approval decisions, revocation actions, and before-and-after state directly from systems of record. Preserve tamper-evident evidence so QSA validation can verify what happened without reconstructing it from spreadsheets.
- Close revocation loops before the quarter ends Tie review decisions to executable remediation so approved removals are carried out immediately and exceptions are time-bound. If revocations still depend on manual follow-up weeks later, the review process is already failing the quarterly requirement.
Key takeaways
- PCI DSS access review failures usually come from stale scope, dormant access, and weak evidence, not from the absence of a quarterly checklist.
- Service accounts and forgotten offboarding are central causes of non-compliance because they fall outside human-centric review habits.
- The control that matters most is a closed-loop identity governance process that can discover, review, revoke, and prove access changes before audit time.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centers on stale credentials and review gaps across NHI access. |
| NIST CSF 2.0 | PR.AA-01 | Access governance and review evidence are central to PCI validation. |
| PCI DSS v4.0 | 8.1.4 | The article directly discusses the 90-day dormant account requirement. |
Track NHI lifecycle events and rotate or revoke dormant access before quarterly review exceptions appear.
Key terms
- Cardholder Data Environment: The cardholder data environment is the set of systems, applications, and identities that store, process, or transmit payment card data. In practice, it often extends beyond the payment gateway to support tools, reports, backups, and test environments that unexpectedly bring more identities into scope.
- Dormant Account: A dormant account is an identity that has not been used for a defined period and should no longer retain active access. Under PCI DSS, accounts inactive for 90 days must be disabled or removed, which makes inactivity detection a governance control rather than an audit afterthought.
- Service Account: A service account is a non-human identity used by applications, scripts, integrations, and batch jobs to access systems without a person logging in. These accounts often bypass human review patterns because they lack managers and HR records, yet they can still reach sensitive payment systems.
- QSA Evidence: QSA evidence is the audit trail a Qualified Security Assessor uses to verify that a control was operating as claimed. For access reviews, that means timestamps, reviewer identity, decisions, revocations, and system-generated logs that cannot be easily altered after the fact.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step evidence package structure for QSA review, including what auditors expect in each export.
- Practical examples of review artefacts for dormant accounts, service accounts, and remediation tracking.
- Manual-to-automated workflow comparisons for quarterly access validation across payment systems.
- Examples of how organisations align review cadence, offboarding, and CDE scope discovery in practice.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org