Which action should be taken immediately for any terminated users?

• A. Immediately revoke access for any terminated users.
• B. Revoke access only after 90 days.
• C. Revoke access during annual audits.
• D. Do not revoke access for terminated users.

Answer: (A)

When a user is terminated, access must be revoked immediately to prevent any chance of the former employee reaching systems or data. This is a core control in PCI DSS: promptly removing the individual's access stops potential misuse and protects cardholder data from being exposed after departure. An immediate offboarding step typically involves disabling or deleting accounts, revoking authentication tokens, and removing the user from privileged groups, across all systems and networks. Delays—such as waiting days, tying revocation to audits, or not revoking at all—create a window where unauthorized access could occur and lead to a breach or noncompliance. So, the safest and correct action is to revoke access right away.