8.1.3 Immediately revoke access for any terminated users

8.1.3 Immediately revoke access for any terminated users.

8.1.3.a Select a sample of users terminated in the past six months, and review current user access lists*—*for both local and remote access—to verify that their IDs have been deactivated or removed from the access lists.
8.1.3.b Verify all physical authentication methods—such as, smart cards, tokens, etc.—have been returned or deactivated.

If an employee has left the company and still has access to the network via their user account, unnecessary or malicious access to cardholder data could occur—either by the former employee or by a malicious user who exploits the old and/or unused account. To prevent unauthorized access, user credentials and other authentication methods therefore need to be revoked promptly (as soon as possible) upon the employee’s departure.