Which statement accurately describes the policy for visitors entering areas where cardholder data is processed?

• A. Visitors are authorized before entering, but escorts are not required at any time within such areas.
• B. Visitors are authorized before entering, and escorted at all times within areas where cardholder data is processed or maintained.
• C. Visitors may enter freely and only be escorted if they request it.
• D. Visitors must surrender any identification but need not be escorted.

Answer: (B)

Managing physical access to the cardholder data environment means ensuring that only authorized people enter and that someone monitors them while they are inside. The best policy requires both authorization before entry and a continuous escort at all times within areas where cardholder data is processed or maintained. This combination provides accountability, limits who can be present, and prevents unobserved access, tampering, or exposure of sensitive data. Without an escort, or with free roaming, there’s a higher risk of someone observing or handling data improperly. Simply surrendering identification without escort also fails to guarantee ongoing supervision, which is essential for protecting cardholder data.