PCI DSS 8.2.5: Immediately Revoke Terminated User Access
When an employee leaves your organization, their access must be revoked immediately—not later, not "soon." PCI DSS 8.2.5 requires instant deprovisioning of terminated users to prevent unauthorized access to cardholder data. This control is critical for reducing insider risk and maintaining audit-ready access logs.
What this means
PCI DSS 8.2.5 mandates that organizations revoke all system access for terminated employees without delay. This includes physical access, system accounts, application credentials, VPN access, and any other authentication mechanisms. The intent is to eliminate the window of opportunity where a former employee could access sensitive payment card data or systems. 'Immediately' means on the same day of termination, not within a grace period.
How to comply
- 1.Create a documented offboarding checklist triggered automatically on employee termination date
- 2.Disable or delete user accounts across all systems on the termination date
- 3.Revoke physical access badges, keys, and building credentials same-day
- 4.Remove user from all security groups, roles, and permission sets
- 5.Audit and archive user-owned files and email data per retention policy
- 6.Notify system owners and managers of the termination to ensure completeness
- 7.Document the revocation date, time, and approver for audit evidence
- 8.Review access logs post-termination to confirm no residual access remains
Evidence auditors look for
- Offboarding workflow documentation showing immediate deprovisioning triggers
- User access revocation logs with timestamps matching termination dates
- System audit trails showing account disables/deletions on termination day
- Physical security records (badge access, facility logs) post-termination
- Email forwarding and data transfer approvals completed on departure
- Manager sign-off forms confirming all access has been removed
- Identity and access management (IAM) reports showing zero active accounts for terminated users
- Incident logs or access attempts by terminated users (should show none)
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates offboarding workflows that trigger instant access revocation across all connected systems on termination date, eliminating manual steps and providing timestamped evidence for PCI audits.
See how GRCWatch handles this control automatically
Start free trial