Deactivation/Block Users after 90 Days of Inactivity - How do you meet PCI DSS 8.2.6 in Auth0?

PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days.

Here is what I have found so far:

  • Login Action
    Runs only after a user signs in.
    Doesn’t touch accounts that stay silent for 90 days or more.

  • Auth0 community suggestion
    Build an external job that polls Auth0 and blocks stale accounts.
    Adds another moving part that will grow with every new user.

My questions for you

  • How do you handle this cleanly in Auth0 today?
  • Did you find a built‑in feature I missed?
  • Any tips on keeping the process light as the user base expands?

Thanks for your time and ideas!

Hi @paul.mugford

Welcome to the Auth0 Community!

Thank you for bringing that to our attention! I will inform our engineering team about that. Would you also be able to open a new thread in the Product Feedback category, explaining your use case and describing the desired flow? Please make sure to upvote it so that it gets as many votes as possible and attracts as many community members as possible. You can read our FAQ regarding submitting a feature request here: How to Submit Product Feedback or Feature Requests

Thanks
Dawid

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.