Ctrl + K

8.2.5 Access for terminated users is immediately revoked.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

The accounts of terminated users cannot be used.

Defined Approach Testing Procedures

8.2.5.a Examine information sources for terminated users and review current user access lists—for both local and remote access—to verify that terminated user IDs have been deactivated or removed from the access lists.

8.2.5.b Interview responsible personnel to verify that all physical authentication factors—such as, smart cards, tokens, etc.—have been returned or deactivated for terminated users.

Purpose

If an employee or third party/vendor has left the company and still has access to the network via their user account, unnecessary or malicious access to cardholder data could occur—either by the former employee or by a malicious user who exploits the old and/or unused account.

purpose

Revalidate user access at least every six months.

compliance strategies

Scheduled access reviews
Manager attestation

typical policies

Access Review Policy

common pitfalls

Missed reviews
No review documentation

type

Process Control

difficulty

Moderate

key risks

Excessive or outdated access

recommendations

Automate periodic access reviews

Eligible SAQ

SAQ-A
SAQ-A-EP
SAQ-C
SAQ-C-VT
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.

Link copied to clipboard!