Which statement about a visitor log is correct?

• A. A visitor log is optional for facilities processing cardholder data.
• B. A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted, including the visitor's name, firm represented, and onsite personnel authorizing access, retained for at least three months.
• C. A visitor log should only record the date of entry.
• D. A visitor log must be stored electronically with no hard copies.

Answer: (B)

Keeping a visitor log is about creating a verifiable record of who enters areas that hold cardholder data, so you can trace access and respond to any incidents. The best statement captures the full scope: it describes maintaining a physical audit trail of visitors to the facility and to computer rooms or data centers where cardholder data is stored or transmitted, including the visitor’s name, the firm represented, and the onsite personnel authorizing access, with retention for at least three months. This supports accountability and security reviews.

Other options don’t fit because access logging isn’t optional, limiting the log to just the date omits critical identification and authorization details, and there’s no requirement that logs must be electronic only (hard copies are acceptable as part of a robust physical access record).