9.3.3 Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.
Defined Approach Requirements
9.3.3 Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.
Customized Approach Objective
Visitor identification or badges cannot be reused after expiration.
Defined Approach Testing Procedures
9.3.3 Observe visitors leaving the facility and interview personnel to verify visitor badges or other identification are surrendered or deactivated before visitors leave the facility or at the date of expiration upon departure or expiration.
Purpose
Ensuring that visitor badges are returned or deactivated upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.
purpose
Ensure visitors return badges and are signed out upon departure.
compliance strategies
- Badge collection at exit
- Sign-out process
typical policies
- Visitor Departure Procedures
common pitfalls
- Unreturned badges
- No sign-out verification
type
Process Control
difficulty
Low
key risks
- Reuse of visitor badges for unauthorized entry
recommendations
- Automated badge deactivation
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy