9.3.4 Visitor logs are used to maintain a physical record of visitor activity both within the facility and within sensitive areas, including:

Defined Approach Requirements

9.3.4 Visitor logs are used to maintain a physical record of visitor activity both within the facility and within sensitive areas, including:

• The visitor's name and the organization represented.
• The date and time of the visit.
• The name of the personnel authorizing physical access.
• Retaining the log for at least three months, unless otherwise restricted by law.

Customized Approach Objective

Records of visitor access that enable the identification of individuals are maintained.

Defined Approach Testing Procedures

9.3.4.a Examine the visitor logs and interview responsible personnel to verify that visitor logs are used to record physical access to both the facility and sensitive areas.

9.3.4.b Examine the visitor logs and verify that the logs contain:

• The visitor's name and the organization represented.
• The personnel authorizing physical access.
• Date and time of visit.

Purpose

A visitor log documenting minimum information about the visitor is easy and inexpensive to maintain. It will assist in identifying historical physical access to a building or room and potential access to cardholder data.

Good Practice

When logging the date and time of visit, including both in and out times is considered a best practice, since it provides helpful tracking information and provides assurance that a visitor has left at the end of the day. It is also good to verify that a visitor's ID (driver's license, etc.) matches the name they put on the visitor log.