PCI Requirement 9.4.4 – A Visitor Log is Used to Maintain a Physical Audit Trail of Visitor Activity to the Facility, Computer Rooms, and Rooms Where CHD is Stored

by Randy Bartels / January 31st, 2018

Maintain a Visitor Log

In order to record which visitors have entered your sensitive areas, PCI Requirement 9.4.4 requires, “A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.” This visitor log must document three elements:

  • The visitor’s name
  • The firm represented
  • The onsite personnel authorizing physical access to the log

This log of visitor activity to the facility must be retained for a minimum of three months, and the data should be reviewed and correlated with other identification mechanisms, like video camera footage, badge swipes, etc. This visitor log is an easy, inexpensive way to document a minimal amount of information on visitors and will assist in identifying physical access to a building or room, and potential access to cardholder data.

If your organization has a visitor log but does not maintain, capture, or verify the information recorded, this is an issue. This does not comply with PCI Requirement 9.4.4. The visitor log must be appropriately filled out. An assessor will want to verify that the visitor log is in use, contains the correct information, and is part of a vetting process to gain physical access to sensitive areas.

PCI Requirement 9.4.4 requires that you maintain a physical log of when individuals have entered your facility or your sensitive areas. This requirement is pretty steadfast. It’s required that you keep this log for 90 days and you review the data.

As an assessor, I would often flip through the pages of these logs’ history and it became pretty evident to me that a lot of times, while organizations might have the log, a person would sign in, but the information was not being captured. While they had a field for capturing it, which was the firm that they represented or the person that was authorizing the access, there was no vetting process for making sure that logs were appropriately filled out. Your assessor should be asking to see those logs and see where individuals have come into your facility.