GRCWatch
Sign inStart free trial

PCI DSS 8.2.5: Immediately Revoke Terminated User Access

When an employee leaves your organization, their access must be revoked immediately—not later, not "soon." PCI DSS 8.2.5 requires instant deprovisioning of terminated users to prevent unauthorized access to cardholder data. This control is critical for reducing insider risk and maintaining audit-ready access logs.

What this means

PCI DSS 8.2.5 mandates that organizations revoke all system access for terminated employees without delay. This includes physical access, system accounts, application credentials, VPN access, and any other authentication mechanisms. The intent is to eliminate the window of opportunity where a former employee could access sensitive payment card data or systems. 'Immediately' means on the same day of termination, not within a grace period.

How to comply

  1. 1.Create a documented offboarding checklist triggered automatically on employee termination date
  2. 2.Disable or delete user accounts across all systems on the termination date
  3. 3.Revoke physical access badges, keys, and building credentials same-day
  4. 4.Remove user from all security groups, roles, and permission sets
  5. 5.Audit and archive user-owned files and email data per retention policy
  6. 6.Notify system owners and managers of the termination to ensure completeness
  7. 7.Document the revocation date, time, and approver for audit evidence
  8. 8.Review access logs post-termination to confirm no residual access remains

Evidence auditors look for

  • Offboarding workflow documentation showing immediate deprovisioning triggers
  • User access revocation logs with timestamps matching termination dates
  • System audit trails showing account disables/deletions on termination day
  • Physical security records (badge access, facility logs) post-termination
  • Email forwarding and data transfer approvals completed on departure
  • Manager sign-off forms confirming all access has been removed
  • Identity and access management (IAM) reports showing zero active accounts for terminated users
  • Incident logs or access attempts by terminated users (should show none)

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates offboarding workflows that trigger instant access revocation across all connected systems on termination date, eliminating manual steps and providing timestamped evidence for PCI audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 8.1.1 — Assign Unique User IDsPCI DSS 8.1.3 — Remove/Disable Inactive AccountsPCI DSS 8.2.1 — Use Strong AuthenticationPCI DSS 8.2.3 — Restrict Access by Need to KnowPCI DSS 8.5.1 — Control Physical Access