9.3.2 Procedures are implemented for authorizing and managing visitor access to the CDE, including:
- Visitors are authorized before entering.
- Visitors are escorted at all times.
- Visitors are clearly identified and given a badge or other identification that expires.
- Visitor badges or other identification visibly distinguishes visitors from personnel.
Defined Approach Requirements
9.3.2 Procedures are implemented for authorizing and managing visitor access to the CDE, including:
- Visitors are authorized before entering.
- Visitors are escorted at all times.
- Visitors are clearly identified and given a badge or other identification that expires.
- Visitor badges or other identification visibly distinguishes visitors from personnel.
Customized Approach Objective
Requirements for visitor access to the CDE are defined and enforced. Visitors cannot exceed any authorized physical access allowed while in the CDE.
Defined Approach Testing Procedures
9.3.2.a Examine documented procedures and interview personnel to verify procedures are defined for authorizing and managing visitor access to the CDE in accordance with all elements specified in this requirement.
9.3.2.b Observe processes when visitors are present in the CDE and interview personnel to verify that visitors are:
- Authorized before entering the CDE.
- Escorted at all times within the CDE.
9.3.2.c Observe the use of visitor badges or other identification to verify that the badge or other identification does not permit unescorted access to the CDE.
9.3.2.d Observe visitors in the CDE to verify that:
- Visitor badges or other identification are being used for all visitors.
- Visitor badges or identification easily distinguish visitors from personnel.
9.3.2.e Examine visitor badges or other identification and observe evidence in the badging system to verify visitor badges or other identification expires.
Purpose
Visitor controls are important to reduce the ability of unauthorized and malicious persons to gain access to facilities and potentially to cardholder data.
Visitor controls ensure visitors are identifiable as visitors so personnel can monitor their activities, and that their access is restricted to just the duration of their legitimate visit.
Definitions
Refer to Appendix G for the definition of "visitor."
purpose
Ensure visitors are easily distinguishable from personnel.
compliance strategies
- Distinctive visitor badges
- Uniform color coding
typical policies
- Badge Design Policy
common pitfalls
- Visitors using staff badges
- No badge differentiation
type
Physical/Process Control
difficulty
Low
key risks
- Impersonation
recommendations
- Use photo badges for visitors
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy