Deactivation/Block Users after 90 Days of Inactivity - How do you meet PCI DSS 8.2.6 in Auth0?

paul.mugford · June 24, 2025, 3:04pm

PCI DSS 8.2.6 says you must disable or delete any user who has not logged in for 90 days.

Here is what I have found so far:

Login Action
Runs only after a user signs in.
Doesn’t touch accounts that stay silent for 90 days or more.
Auth0 community suggestion
Build an external job that polls Auth0 and blocks stale accounts.
Adds another moving part that will grow with every new user.

My questions for you

Thanks for your time and ideas!

Topic		Replies	Views
Deactivate (or block) users after X number of days Get Help	4	5518	February 27, 2020
Block Inactive users and unblock them again when tries to login Get Help user-profile , user-management	2	178	September 27, 2024
Deleted users are able to reactivated their accounts by logging in (social users) Get Help login-experience , new-universal-login-experience	5	1217	October 16, 2023
Deactivation or Block Users after X Number of Days of Inactivity Knowledge Articles inactivity , blocked-user	1	486	April 26, 2024
Disable the user temporarily Get Help login	6	5028	March 16, 2020