GRCWatch
Sign inStart free trial

PCI DSS 9.3.4: Maintain a Visitor Log for Physical Security

PCI DSS 9.3.4 requires organizations to maintain a visitor log that documents every person entering secure areas where payment card data is processed or stored. This physical audit trail—capturing visitor name, organization, date, time, and authorizing personnel—creates accountability and helps detect unauthorized access attempts.

What this means

A visitor log serves as your physical security checkpoint, recording every visitor's entry into restricted areas containing cardholder data environments (CDE). The log must capture: the visitor's full name, their organization or company, the date and time of entry, the name of the employee authorizing their access, and the business purpose of their visit. This creates a timestamped audit trail that can be reviewed during compliance assessments and security investigations.

How to comply

  1. 1.Designate all areas containing cardholder data as restricted and establish a visitor sign-in process at entry points
  2. 2.Create a physical or digital visitor log form that captures: visitor name, organization, date, time in/out, purpose of visit, and authorizing employee name/signature
  3. 3.Require all visitors to sign in before entering CDE areas and sign out upon departure
  4. 4.Train reception and security personnel to consistently enforce visitor log procedures and verify authorization
  5. 5.Review visitor logs regularly (weekly or monthly) for anomalies or unauthorized access attempts
  6. 6.Retain visitor logs for at least one year in accordance with PCI DSS record retention requirements
  7. 7.Cross-reference visitor logs with employee lists to ensure only authorized personnel granted access

Evidence auditors look for

  • Physical visitor sign-in sheets with completed entries showing visitor name, company, date, time, and authorizing employee
  • Digital visitor management system logs with timestamped entry/exit records and approval workflow documentation
  • Reception desk procedures document outlining visitor log requirements and enforcement process
  • Quarterly visitor log review reports identifying any unusual access patterns or gaps in documentation
  • Access control policy that references visitor logging as a required procedure for physical security
  • Training records showing staff were educated on visitor log completion and verification procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates visitor log tracking with digital sign-in workflows that capture all required audit fields, timestamp entries automatically, and generate compliance reports—eliminating manual spreadsheet errors and streamlining your physical security evidence for audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 9.3.1 - Restrict Facility AccessPCI DSS 9.3.3 - Escort VisitorsPCI DSS 9.3.5 - Retrieve and Review Visitor LogsPCI DSS 9.1 - Physical Security PolicyPCI DSS 12.6 - Visitor Information Security Procedures