Inactive user accounts should be addressed within what time frame?

Inactive user accounts should be addressed within a 90-day time frame to maintain security and reduce potential risks. The PCI DSS standard emphasizes the importance of managing user accounts effectively, particularly addressing those that have not been active for a certain period of time.

When an account remains inactive, it can become a potential security vulnerability, as it might be exploited by unauthorized individuals. Implementing a process to review and deactivate such accounts within 90 days helps organizations mitigate risks and maintain a secure environment.

This time frame is deemed reasonable since it allows organizations to regularly audit user activity and ensures timely action is taken to secure the system while providing enough time for legitimate users who may have been temporarily inactive. This is particularly important in environments handling sensitive payment card data, where breaches can have significant consequences.