top of page
< Back

9.4.4 PCI DSS (v3.2.1)

Compliance Standard

Compliance Version

Control ID




Requirement 9: Restrict physical access to cardholder data


A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.
Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.
Retain this log for a minimum of three months, unless otherwise restricted by law.

bottom of page