GRCWatch
Sign inStart free trial

PCI DSS 9.3.2: Authorize and Escort Visitors to Your CDE

Visitor management is a critical physical security control that prevents unauthorized access to your cardholder data environment. PCI DSS 9.3.2 requires documented procedures for authorizing visitors before entry and maintaining continuous escort throughout their time in restricted areas. This control directly reduces insider threats and accidental data exposure.

What this means

Your organization must establish and enforce formal procedures that authorize visitors before they enter the cardholder data environment and ensure they are escorted by an authorized employee at all times while present. This includes pre-visit vetting, ID verification, access logging, and continuous supervision to prevent unauthorized access to systems, networks, or sensitive data.

How to comply

  1. 1.Document a formal visitor authorization policy that defines who can authorize visits, required approval workflows, and visitor categories
  2. 2.Implement a pre-visit authorization process requiring business justification, identity verification, and risk assessment before access is granted
  3. 3.Create a visitor log or badge system that records visitor name, escort, date, time, purpose, and areas accessed
  4. 4.Assign a designated employee to escort each visitor continuously throughout their time in the CDE
  5. 5.Establish restrictions on visitor access to sensitive areas, systems, and data; visitors should never be left unattended
  6. 6.Conduct background checks or verification as appropriate for your organization and industry
  7. 7.Train employees on visitor management procedures and their responsibility to monitor and report suspicious visitor activity
  8. 8.Perform periodic audits of visitor logs to ensure compliance with escort requirements and identify access patterns

Evidence auditors look for

  • Visitor authorization policy document with approval authority and procedures
  • Visitor pre-approval forms or email chains documenting business justification and authorization
  • Visitor log or badge system showing visitor name, escort, date, time, and CDE access records
  • Employee training records confirming staff understanding of visitor escort requirements
  • Physical security access records (badges, keycards) tied to visitor sign-in
  • Audit reports of visitor logs showing compliance with continuous escort requirements
  • Incident reports documenting any unauthorized or unescorted visitor access

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates visitor management workflows with pre-visit authorization forms, digital sign-in tracking, and audit logs—eliminating manual paper processes and proving continuous compliance with PCI DSS 9.3.2 to auditors.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 9.1 — Implement strong access control measures to restrict and manage physical access to cardholder dataPCI DSS 9.2 — Develop procedures to easily identify and distinguish between on-site personnel and visitorsPCI DSS 9.4 — Implement procedures to ensure identification badges or other physical identification are returned upon termination of employment or engagement