Which requirement governs activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?

Activating remote-access tools for vendors only when they need to perform a task, and deactivating them immediately after that task is done, is a time-bound, need-to-access approach for third-party access. This tight control keeps the window of opportunity for misuse extremely small, reducing the chances that a compromised vendor credential or an ongoing remote session could lead to exposure of cardholder data. In PCI DSS, this stance is the specific guidance for how vendors and business partners should access your environment: access is granted on a per-need basis, must be authenticated and monitored, and is revoked as soon as the work is complete, with activity logged for accountability. That makes it the best fit for minimizing risk while still allowing necessary collaboration. Other PCI DSS areas address different aspects of remote-access or security controls, but they do not prescribe this precise on-demand, automatic-revocation approach for vendor access.