PCI DSS req.9.2

[vot_ol]

Hi!

The Bank has the following procedure: all visitors can move inside building only with accompanying person.
The Bank supposes that they don’t need procedures to help all personnel easily distinguish between employees and visitors.

Can QSA-assessor write non-compliance for req 9.2?

Thank you!

[alphonze]

That sounds non-compliant to me. After all, if there is no way to tell the difference between a visitor and a staff-member, then how can anyone be sure whether an unaccompanied person is a legitimate staff-member or an unauthorised visitor?! And if the bank staff do not know *all* the other bank staff, how can they tell if two people are a visitor and his escort, or *two visitors*!?

The intent here seems clear: staff need to be able to identify someone who shouldn't be there, so they can take action if there is an intruder, or an "escaped" visitor.

It's good that the bank has procedures to escort visitors. But those procedures are irrelevant. What is relevant is that when something unusual or abnormal happens, it can be detected.

[neobaby]

What we have done is provided two different types of ID Cards, one for normal staffs with facility to use as the physical access card ( Magnetic striped ) and for all non employee a different card ( simple plastic ) . This will help to easily distinguish and requires an employee to accompany him .In addition consultants who are in the company for a short period of time, like 1 month are given another access card with a defined expiry period

[jbhall56]

Another easy way to comply is to use the name tags you can buy at Office Max or Staples and then use Word to print them up.

On the tag you should print in RED ink the word 'VISITOR' in a bold, somewhat large font. Underneath that, print the visitor's name in BOLD and so that it can be easily read. Underneath their name, have the field of print date so that people can know when the badge was created.

[LJKSoftware]

Quote:

Originally Posted by jbhall56

On the tag you should print in RED ink the word 'VISITOR' in a bold, somewhat large font. Underneath that, print the visitor's name in BOLD and so that it can be easily read. Underneath their name, have the field of print date so that people can know when the badge was created.

There are printable visitor badges manufactured that expire automatically with the passage of time, to prevent a former visitor from re-using a badge in front of employees who do not read the date carefully.