PCI Requirement 9.2 – Develop Procedures to Easily Distinguish Between Onsite Personnel and Visitors

by Randy Bartels / January 31st, 2018

How to Easily Distinguish Between Onsite Personnel and Visitors

As part of your organization’s physical security measures, PCI Requirement 9.2 requires that your organization develops and maintains identification procedures to easily distinguish between onsite personnel and visitors. It’s important to remember that in relation to PCI Requirement 9, onsite personnel refers to full-time and part-time employees, temporary employees, contractors, and consultants who are physically present on your organization’s premise. Visitors are any vendors, third parties, guests of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day.

A badge system is a great way to maintain compliance with PCI Requirement 9.2. When a visitor enters your facility, they would fill out a log that requires the individual’s name, the organization that they represent, and who has authorized them to come into your facility. Giving visitors a visitor badge that’s easily distinguished from an employee badge, like one that’s a brighter color or is much larger than an employee badge, makes it easy to determine a visitor from far away. When the visitor leaves your facility, they need to sign out and return their visitor badge.

Your identification procedures to easily distinguish between onsite personnel and visitors should also outline a method for how to document changes to access requirements, and revoking/terminating access. If an employee is terminated, how do you terminate their badge and access? If a visitor has an expired badge, how do you handle that?

Complying with PCI Requirement 9.2 will help your organization easily identify authorized visitors and prevent you from giving unauthorized visitors access to sensitives areas containing cardholder data.

As an organization, you need to develop policies and procedures around identifying guests and identifying employees within your organization. This would include policies and procedures around terminated guests’ or terminated employees’ badges when they are no longer authorized to be in that area. These badges need to be distinguished so that you know it’s a guest badge, and not an employee badge. I would recommend that you make it a different, brighter color so that you can distinguish these individuals from afar.

From an assessment perspective, there’s really not a lot that you need to do. You follow your program, policies, and procedures. Your assessor is likely going to be, of course, asking for the policies and procedures around this, but the fact that you give them a badge or a tag that distinguishes them is usually sufficient enough to meet the testing requirements of PCI Requirement 9.2.