What must happen to access for onsite personnel upon termination?

• A. Access must be revoked immediately upon termination, and all physical access mechanisms returned or disabled.
• B. Access remains active until the end of the quarter.
• C. Access can be transferred to a successor.
• D. Access is decided annually.

Answer: (A)

Immediate revocation of access when onsite personnel termination occurs is essential. When someone leaves or is terminated, all their credentials—logical (system accounts, VPN, email) and physical (badges, keys, badge readers, alarm codes)—must be disabled or returned right away. This prevents any chance of unauthorized entry or data access and supports a least-privilege approach, which is foundational to protecting cardholder data under PCI DSS.

Why this is the best approach: it closes the security gap as soon as the person no longer has a legitimate role. Keeping access active even for a short period creates a window where misuse could occur, which PCI DSS aims to avoid.

Delaying revocation until a later time or transferring access to someone else, or making it an annual decision, would prolong vulnerability and is not aligned with secure termination practices.