If a vendor plans to terminate an employee, which of these must be done?

 According to the PCI Card Production Logical Security Requirements, the vendor must have a formal employee termination process that includes notifying the security manager in writing prior to the termination of any employee who has access to cardholder data or sensitive authentication data. This is to ensure that the security manager can take appropriate actions to revoke the employee’s access rights, credentials, and keys, and to prevent any unauthorized use or disclosure of cardholder data or sensitive authentication data by the terminated employee. The vendor must also have a documented policy and procedure for the employee termination process, and must maintain a log of all termination activities. References:

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.2

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 20, requirement 6.1.3