How to Identify and Authorize Visitors

What would the consequences be if an unidentified, unauthorized visitor entered your facility? What people, facilities, or technology would they have physical access to? How would you confront them? PCI Requirement 9.4 hopes to prevent a situation like this from occurring at your organization.

PCI Requirement 9.4 states, “Implement procedures to identify and authorize visitors,” and outlines four sub-requirements to help your organization comply. Visitors, in reference to PCI Requirement 9, are any vendors, third parties, guests of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. These are individuals who have not been trained on your organization’s policies and procedures, nor have they gone through a background check.

To comply with PCI Requirement 9.4, you need to identify and authorize visitors. Your organization must develop and implement procedures that include:

  • Authorizing visitors before they enter sensitive areas where cardholder data resides, and escorting visitors at all times in this sensitive area.
  • A visitor identification system, such as a badge that visibly distinguishes visitors from onsite personnel.
  • Surrendering of the visitor identification before the visitor leaves your facility.
  • A visitor log which documents the visitor’s name, organization they represent, and who has authorized their physical access.

Controls surrounding visitor access are vital to the physical security of your organization. These controls reduce the potential for unauthorized individuals to gain access to cardholder data.

PCI Requirement 9.4 has to do with establishing the controls around the visitors that are within your environment. We understand that there might be vendors that you consider an extension of your staff, or there might be vendors that you consider to be guests. From an assessment perspective, what determines the difference between the two is if you treat these vendors as an extension of your staff and put them through your background checks and your training, then I don’t see those as being guests in your environment. We’re looking for individuals who have not been trained on your policies and procedures, not gone through your background check process. These are the people that we look at to make sure that guest controls have been applied.

Physical Access Requirements for Onsite Personnel

Physical access requirements don’t only apply to visitors, they also apply to your onsite personnel. PCI Requirement 9.3 focuses on controlling physical access to sensitive areas for onsite personnel. Your organization should determine specific sensitive areas where cardholder data is stored, processed, or transmitted and specific onsite personnel who have been granted physical access to these areas.

Physical access to sensitive areas must be authorized by management and based on job function. This relates back to PCI Requirement 7; if physical access is necessary for someone to perform their job, that’s acceptable. If the person can perform their job without physical access, then deny that access. The more people who have access to sensitive areas and cardholder data, the more risk there is. Limiting access to those with a legitimate business need can help your organization prevent mismanagement of cardholder data.

If an individual leaves your organization or is terminated, their physical access must be revoked as soon as possible and all physical access mechanisms (like their keys, employee identification, etc.) must be returned and/or disabled. Complying with this aspect of PCI Requirement 9.3 ensures that terminated personnel do not have the opportunity to gain physical access to sensitive areas once their employment has ended.

Within your organization, it’s likely that you have very specific sensitive areas that you’ve defined. Wherever you have these sensitive areas – which might contain financial information, client customer information, or cardholder information – where you are storing, processing, or transmitting information, you need to control who has access into the area. This isn’t just about a guest. This is also about your normal employees.

From an assessor’s perspective, one of the things we look for, which marries back to PCI Requirement 7, is who has been authorized to have access into this environment. If Johnny, Bobby, Susie, Tommy, Larry, etc. need access in there to do their job, that’s fine. However, if there are individuals within your organization that truly do not need access into this environment, their access should be restricted.

How to Easily Distinguish Between Onsite Personnel and Visitors

As part of your organization’s physical security measures, PCI Requirement 9.2 requires that your organization develops and maintains identification procedures to easily distinguish between onsite personnel and visitors. It’s important to remember that in relation to PCI Requirement 9, onsite personnel refers to full-time and part-time employees, temporary employees, contractors, and consultants who are physically present on your organization’s premise. Visitors are any vendors, third parties, guests of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day.

A badge system is a great way to maintain compliance with PCI Requirement 9.2. When a visitor enters your facility, they would fill out a log that requires the individual’s name, the organization that they represent, and who has authorized them to come into your facility. Giving visitors a visitor badge that’s easily distinguished from an employee badge, like one that’s a brighter color or is much larger than an employee badge, makes it easy to determine a visitor from far away. When the visitor leaves your facility, they need to sign out and return their visitor badge.

Your identification procedures to easily distinguish between onsite personnel and visitors should also outline a method for how to document changes to access requirements, and revoking/terminating access. If an employee is terminated, how do you terminate their badge and access? If a visitor has an expired badge, how do you handle that?

Complying with PCI Requirement 9.2 will help your organization easily identify authorized visitors and prevent you from giving unauthorized visitors access to sensitives areas containing cardholder data.

As an organization, you need to develop policies and procedures around identifying guests and identifying employees within your organization. This would include policies and procedures around terminated guests’ or terminated employees’ badges when they are no longer authorized to be in that area. These badges need to be distinguished so that you know it’s a guest badge, and not an employee badge. I would recommend that you make it a different, brighter color so that you can distinguish these individuals from afar.

From an assessment perspective, there’s really not a lot that you need to do. You follow your program, policies, and procedures. Your assessor is likely going to be, of course, asking for the policies and procedures around this, but the fact that you give them a badge or a tag that distinguishes them is usually sufficient enough to meet the testing requirements of PCI Requirement 9.2.

Physical Security of Wireless Devices

Wireless components and devices introduce more risk to your cardholder data environment. This is why PCI Requirement 9.1.3 focuses on maintaining the physical security of wireless devices. PCI Requirement 9.1.3 requires, “Restrict physical access to wireless access points, gateways, handheld devices, networking hardware, communications hardware, and telecommunication lines.” Without the proper security over access to wireless components and devices, attackers can use your organization’s wireless network to access network resources, connect their own devices, or intercept network traffic.

You may be wondering how to physically secure something that is wireless. Wireless access points, gateways, networking hardware, communications hardware, and telecommunication lines need to be physically difficult to reach. This could mean being mounted on a ceiling, physically blocking access to a reset button, disabling all console-interface, mounted on a wall but out of reach, physically blocking access to Ethernet, or installing tamper-detection technology. Handheld devices that are missing should be immediately reported and tracked.

For more information on securing wireless networks, check out the PCI DSS Wireless Guideline Information Supplement.

There are going to be situations where you have individuals come into your environment. There’s the receptionist area, there might be a conference room. What we’re looking for in PCI Requirement 9.1.3 are any network jacks that are considered publicly accessible should be appropriately protected, or that you’re escorting your guests at all times.

What’s considered a public area? From an assessor’s perspective, we’re looking at any place where you’re not monitoring a guest within your facility. A public area might be considered a receptionist area, or a conference room if you leave someone alone. If you have network jacks that do not terminate into your cardholder data environment, these controls would not apply. From a security perspective, it would be a good thing, but it’s not required.

Understand that what we’re looking for here is that any network jack that terminates or is in scope of PCI DSS has appropriate controls protecting it, and/or it’s disabled, and/or you escort your visitors at all times.

Controls for Publicly Accessible Network Jacks

To ensure that visitors cannot exploit network jacks, PCI Requirement 9.1.2 requires that organizations implement physical controls and/or implement logical controls that restrict access to publicly accessible network jacks. The PCI DSS also explains, “Restricting access to network jacks will prevent malicious individuals from plugging into readily available network jacks and gain access into internal network resources. Whether logical or physical controls, or a combination of both, are used, they should be sufficient to prevent an individual or device that is not explicitly authorized from being able to connect to the network.”

Your organization could comply with PCI Requirement 9.1.2 in several ways. You could implement logical controls, such as following the method that network jacks (or network ports) located in public areas or any areas that are accessible to visitors could be consistently disabled, but occasionally enabled when network access is explicitly authorized by management. Or, your organization could implement physical controls, such as having a process in place so that visitors are escorted at all times in areas that have active, enabled, publicly accessible network jacks.

During an assessment, your staff will be interviewed and assessors will observe the locations of publicly accessible network jacks. Assessors need to verify that you implement physical controls and/or logical controls that restrict access to publicly accessible network jacks.

You need to maintain a log of those individuals who are guests or vendors who have come in and out of your environment. There are two places that this log needs to reside: as someone walks into your facility and as someone walks into your data center/sensitive areas.

The PCI DSS is pretty specific about the information you are required to retain and how long you’re required to retain it. This information includes the individual’s name, the firm they represent, and who has authorized them to come into that facility. This information is then retained for at least 90 days. I find that many organizations almost keep this information in perpetuity, which is fine, but they fail in a couple of areas. First, they don’t have the necessary information on the log-in sheet. They might have the date, they might have the year, they might have the purpose of the visit, however, they’re missing the necessary points of information: name, the firm they represent, and who has authorized their entry.

From an assessment perspective, we’re looking for that log-in sheet in both places (as you’re entering the facility and then into your sensitive areas) and we’re looking to see that you have 90 days worth of that information.