Which describes how vendor remote access accounts should be managed?

• A. Enabled only during the time period needed and disabled when not in use.
• B. Always enabled.
• C. Passwords must be rotated daily.
• D. They must be audited quarterly.

Answer: (B)

Vendor remote access should be tightly controlled and limited to the minimum time necessary. Remote access creates a direct entry point into the cardholder data environment, so granting access only for the task at hand minimizes the window during which credentials could be misused if compromised. In practice, this means using time-bound sessions or temporary accounts, requiring explicit approval, and revoking access as soon as the work is finished. Pair this with strong authentication (such as multi-factor) and thorough auditing: each vendor should have a unique account, and all activity should be logged for review. Keeping access always on increases the risk by expanding the attack surface; rotating passwords daily for vendor accounts adds administrative burden without addressing the need to restrict access timing and monitoring; auditing quarterly is too infrequent to promptly detect or deter misuse.