8.1.4 Remove/disable inactive user accounts at least every 90 days.
8.1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.
Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more
easily exploited and used to access cardholder data.