PCI Requirement 8.1.3 – Immediately Revoke Access for Terminated Users

by Randy Bartels / December 21st, 2017

Protect Cardholder Data from Terminated Users

We’ve all heard a horror story of a terminated employee or someone that has left the company discovering their account was left open or active, giving them access to your network, and malicious access to cardholder data occurred. PCI Requirement 8.1.3 seeks to keep situations like these from happening. PCI Requirement 8.1.3 states, “Immediately revoke access for any terminated users.” Once an employee has been terminated or left your organization, their user credentials and other authentication methods must be immediately revoked. The purpose of PCI Requirement 8.1.3 is to protect cardholder data from terminated users. Even if a terminated user doesn’t have malicious intent, any unnecessary access to cardholder data puts it at risk. This is why you must immediately revoke access for any terminated users.

To verify compliance with PCI Requirement 8.1.3, an assessor will take a sample of users who have been terminated within a specific period of time and review current user access lists to ensure that terminated users’ IDs have been deactivated or deleted from access lists. This review should be of both local and remote access lists.

I’m sure we’ve all heard a story of terminating an employee, and then that individual’s account was left open for some reason and that ex-employee came back into that environment two weeks later and deleted a bunch of data or did something malicious in your environment. The PCI DSS looks to be respective of that. What they’ve done is created this requirement that says if you have a terminated employee, their account needs to be revoked immediately. You could do this one of two ways. You could simply disable the account, or you can actually delete it – the choice is up to you.

But what we’re going to do from an assessment perspective is we’re going to work with your HR department and get a list of accounts or individuals that have been terminated in the last six months, and then we’re going to look at those accounts within your environment. Organizations are pretty good about the active directory, server, or that main authentication library, but understand that you have other applications within your environment that they may or may not have had access to. So, when we look at this particular control, it’s all accounts, not just main authentication accounts. Be respective of that, try to keep an inventory of what particular accounts individuals have had within your organization, and once those individuals have been terminated, you must immediately delete or revoke access to that account, as required by your policies and procedures.