An important aspect of PCI compliance involves restricting physical access to areas where sensitive data is stored. Firewalls and encryption can protect data from being intercepted by a hacker who operates from a remote location, but sensitive information is still at risk if you fail to create and enforce a company policy regulating who can enter areas and rooms where this data is stored. A vital part of this policy should involve establishing a system for utilizing visitor badges for individuals on the premises that are not employees. So what does the PCI Data Security Standard say about visitor ID badges? The PCI DSS requires businesses to conform to the following guidelines relating to visitor badges:
- Visitor badges should be used to deny wearers unescorted access to areas where sensitive data can be found.
- Visitor badges should be designed to ensure that visitors can be easily distinguished from normal personnel.
- Visitor badges should expire at a specified time.
- Visitors should return their badges before leaving the premises or at the expiration time.
Only authorized personnel should be allowed to issue visitor badges.