Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PCI DSS quarterly reviews: are your CDE access controls keeping up?


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 164
Topic starter  

TL;DR: Quarterly PCI DSS access reviews fail when organisations rely on spreadsheets, miss dormant accounts, and overlook service accounts inside the cardholder data environment, according to Zluri. The real issue is not review cadence alone but whether discovery, evidence, and remediation are closed-loop enough to survive QSA scrutiny.

NHIMG editorial — based on content published by Zluri: Security & Compliance PCI DSS User Access Review: How to Protect Cardholder Data Through Quarterly Validation

By the numbers:

Questions worth separating out

Q: What breaks when PCI access reviews are still managed in spreadsheets?

A: Spreadsheet-driven PCI access reviews usually break on evidence integrity, timing, and completeness.

Q: Why do dormant accounts create PCI DSS compliance failures so quickly?

A: Dormant accounts become a PCI issue because requirement 8.1.4 is based on a hard inactivity threshold.

Q: What do security teams get wrong about service accounts in PCI environments?

A: Teams often treat service accounts as infrastructure details instead of identities that require review.

Practitioner guidance

  • Continuously discover CDE scope Map every system that stores, processes, or transmits card data, including support tools, staging, backups, reporting exports, and cloud infrastructure.
  • Separate human and service-account reviews Build distinct review paths for employee accounts, contractors, and service accounts so automation identities are not hidden inside human certification workflows.
  • Automate 90-day inactivity detection Track last-login and last-use signals continuously, then flag accounts at risk before they cross the 90-day dormant threshold.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step evidence package structure for QSA review, including what auditors expect in each export.
  • Practical examples of review artefacts for dormant accounts, service accounts, and remediation tracking.
  • Manual-to-automated workflow comparisons for quarterly access validation across payment systems.
  • Examples of how organisations align review cadence, offboarding, and CDE scope discovery in practice.

👉 Read Zluri's analysis of PCI DSS quarterly access reviews and CDE scope →

PCI DSS quarterly reviews: are your CDE access controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

PCI access reviews fail when the CDE is treated as a static inventory. The article shows that cardholder data spreads into support tools, staging environments, reports, and backups long before the next quarterly review starts. That means the review population is already stale when the cycle begins, which turns compliance into a retrospective exercise. For identity governance, the practical implication is that scoping must be continuous, not quarterly.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • A separate finding from the same research shows that 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks.

A question worth separating out:

Q: Who is accountable when PCI access reviews are incomplete or late?

A: Accountability sits with the organisation that stores, processes, or transmits card data, even if review work is delegated to operations or a vendor platform. QSAs assess whether the control exists, whether evidence is complete, and whether dormant or excessive access was removed on time. Delegation does not shift responsibility.

👉 Read our full editorial: PCI DSS access reviews expose the hidden CDE governance gap



   
ReplyQuote
Share: