PCI Requirement 9.4.3 – Visitors are Asked to Surrender the Badge or Identification Before Leaving the Facility or at the Date of Expiration

by Randy Bartels / January 31st, 2018

Visitors Must Surrender Their Badge Upon Their Departure

To comply with PCI Requirement 9.4, there’s an important step outline in PCI Requirement 9.4.3, related to identification mechanisms. It states, “Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.” Even though a visitor badge has an expiration date and/or time on it, you must ensure that you ask visitors to surrender their badge upon their departure. This could be the job of the person who has escorted the visitor, a receptionist, or a security guard – just make sure it’s someone’s responsibility.

One purpose of PCI Requirement 9.4.3 is to prevent a visitor badge from being use maliciously. The PCI DSS explains, “Ensuring that visitor badges are returned upon expiry or completion of the visit prevents malicious persons from using a previously authorized pass to gain physical access into the building after the visit has ended.”

How you treat your assessor can represent your commitment to complying with PCI Requirement 9.4.3.Your assessor probably will not volunteer their visitor badge at the end of the assessment; they will wait to see if you ask for them to surrender their badge upon their departure.

When a visitor leaves your facility, you’ll want to make sure that they are asked to surrender their visitor badge upon their departure. One of the things that I used to do as an assessor (mind you, I’ve been doing this for about 10 years), is I would never volunteer my badge at the end of an assessment. I would never hide it from them, but I would never voluntarily give it up. I would always wait for them to ask me for it. At my house, I had this thing called “The Wall of Shame” and it was all of these badges that no one had ever asked me to return. I kept them kind of as a trophy for this particular requirement. So, when you have a guest that’s leaving your facility, please make sure that the last person who interacts with them asks for that badge. This could be the receptionist, or it could be the person who’s escorted them around the facility.