PCI Requirement 9.4 – Implement Procedures to Identify and Authorize Visitors

by Randy Bartels / January 31st, 2018

How to Identify and Authorize Visitors

What would the consequences be if an unidentified, unauthorized visitor entered your facility? What people, facilities, or technology would they have physical access to? How would you confront them? PCI Requirement 9.4 hopes to prevent a situation like this from occurring at your organization.

PCI Requirement 9.4 states, “Implement procedures to identify and authorize visitors,” and outlines four sub-requirements to help your organization comply. Visitors, in reference to PCI Requirement 9, are any vendors, third parties, guests of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. These are individuals who have not been trained on your organization’s policies and procedures, nor have they gone through a background check.

To comply with PCI Requirement 9.4, you need to identify and authorize visitors. Your organization must develop and implement procedures that include:

  • Authorizing visitors before they enter sensitive areas where cardholder data resides, and escorting visitors at all times in this sensitive area.
  • A visitor identification system, such as a badge that visibly distinguishes visitors from onsite personnel.
  • Surrendering of the visitor identification before the visitor leaves your facility.
  • A visitor log which documents the visitor’s name, organization they represent, and who has authorized their physical access.

Controls surrounding visitor access are vital to the physical security of your organization. These controls reduce the potential for unauthorized individuals to gain access to cardholder data.

PCI Requirement 9.4 has to do with establishing the controls around the visitors that are within your environment. We understand that there might be vendors that you consider an extension of your staff, or there might be vendors that you consider to be guests. From an assessment perspective, what determines the difference between the two is if you treat these vendors as an extension of your staff and put them through your background checks and your training, then I don’t see those as being guests in your environment. We’re looking for individuals who have not been trained on your policies and procedures, not gone through your background check process. These are the people that we look at to make sure that guest controls have been applied.