Controls surrounding visitor access are vital to the physical security of your organization. When a visitor enters your facility, they need to be easily distinguished from onsite personnel. Throughout PCI Requirement 9, we’ve discussed visitor identification mechanisms such as a badge system; this comes into play in PCI Requirement 9.4.2 as well.
PCI Requirement 9.4.2 states, “Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.” When a visitor enters your facility, they must be issued a visitor badge that has an expiration date and/or time and can be easily distinguished from an employee badge, like one that’s a brighter color or is much larger than an employee badge, making it easy to determine a visitor from far away. Ensuring that visitor badges have an expiration date and/or time prevents malicious individuals from using a previously authorized badge to gain physical access into your facility after the visit has ended.
How you treat your assessor also represents your compliance; did you issue them identification mechanisms? Did someone mistake them for an employee? Did their badge have an expiration date and/or time issued? Did they return the badge at the end of their visit? If you do not follow your own procedures while an assessor is present, this could show a lack of physical security.
From time to time, visitors are going to be coming into your environment, like your assessors. Visitors need to be authorized to be in your environment and when they are authorized, that’s great, but they need to be given a badge or something else that identifies them as a visitor, and whatever that token is needs to be easily distinguished between that of an employee, and it needs to have an expiration date or time. One of the things that we recommend is giving visitors a big, printed badge that’s a different color than employees’ badges so that it’s easily distinguished.