Which statement is NOT a PCI compliance recommendation?

• A. Rotate employees handling credit card transactions on a yearly basis to different departments
• B. Implement access control with least privilege
• C. Encrypt cardholder data in transit and at rest
• D. Regularly monitor and test networks

Answer: (A)

PCI DSS focuses on protecting cardholder data through strong access controls, data protection, and ongoing network monitoring. Rotating employees handling card transactions among different departments isn’t a PCI requirement; PCI emphasizes ensuring access is restricted to those with a business need (least privilege) and that access rights are reviewed, but it doesn’t mandate annual cross-department rotations. In contrast, the other three practices align directly with PCI guidance: applying least-privilege access so users only have the minimum rights needed; encrypting cardholder data in transit and at rest to keep data unreadable even if intercepted or accessed; and regularly monitoring and testing networks to identify and address security weaknesses. Therefore, rotating staff is not a PCI compliance recommendation, while the others are.