Authorize and Escort Visitors at All Times
Controls surrounding visitor access are vital to the physical security of your organization. These controls reduce the potential for unauthorized individuals to gain access to cardholder data. If a visitor enters your organization’s sensitive areas that house cardholder data, PCI Requirement 9.4.1 requires that visitors are authorized before entering the area and escorted at all times within the area.
To verify compliance with PCI Requirement 9.4.1, assessors will look at artifacts that document the authorization process, like a sign-in sheet, email, or form. Whatever your identification and authorization mechanisms are, they also need to be observed to verify that an unauthorized individual cannot be granted physical access to sensitive areas. How you treat your assessor also represents your compliance; were you escorting your assessor the entire time? Did you leave them alone in sensitive areas? If you do not follow your own procedures while an assessor is present, this could show a lack of physical security.
From time to time, visitors will enter your facilities and they may need to have access into your sensitive areas. They need to be authorized to have that access and they need to be escorted at all times. From an assessment perspective, we’ll be looking for the artifacts that you retain about authorizing individuals into these sensitive areas, whether this be your sign-in sheet, management authorization in an email, or whatever that might be. As part of the escorting clause in this requirement, we’re also looking to see how you escort people within the facility. How do you treat us? If you leave an assessor to their own bidding, like putting us in a conference room or bringing us into a sensitive area and leaving us alone, you might have challenges in meeting this requirement.
If you have any questions about this, have a conversation with your assessor and I’m sure they’ll be happy to clarify this for you.