We are running into this more an more with our larger clients. They have eDirectory, Active Directory or other LDAP directory where ALL their personnel have an entry. These directories are interfaced to their HR system to automatically generate a directory account when people are hired and delete the account when people are terminated.

Where we run into trouble is that most of these organizations employ seasonal workers and do not remove them from the directory between the seasons because they are not terminated, they are laid off or suspended. As a result, these seasonal workers end up creating a rather large pool of accounts not used in over 90 days ( I have a client that has over 50K+ of these). These people have no access to PCI data of any sort, just access to the organization's HR/Payroll system through kiosks to manage their benefits, deductions and the like.

Right now we're working around this using compensating controls for these organizations. But that is problematic at best as you are not supposed to have compensating controls going on and on, year after year, which is what will happen in this situation.

I'm interested in the group's thoughts of getting 8.5.5 changed to reflect a possibly more realistic approach to the 90 day rule. I would suggest that only those users with access to cardholder data would have to comply.

Coming from the financial institution industry, I whole heartedly agree with the 90 day rule, but I'm having difficulty enforcing it in these situations when no access to sensitive information is not provided.

I think this is a perfect example of where two things need to be considered; direct access to cardholder data and general business processes. I think the fact that you are dealing with a group of employees that do not have direct access to cardholder data alone removes them from the scope. In addition, you’re talking about having to change a core business process; seasonal user provisioning. I think if these accounts are disabled and closely tracked, this would be a good control; combined with the fact that various ACLs are restricting them from accessing cardholder data anyway.

Outside of PCI, disabling seasonal accounts would be considered a good control and a good business process, since user provisioning can be very time-consuming and expensive. While I agree, compensating controls are not meant to be forever, this is a perfect example of where a permanent compensating control makes sense for the overall business and in all actuality, doesn't hurt the company's security posture.