9.3 PCI DSS (v3.2.1)

Control physical access for onsite personnel to sensitive areas as follows:
• Access must be authorized and based on individual job function.
• Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.