According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization’s procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.

According to the glossary, bespoke and custom software describes software developed by an entity for its own use, which means it should not be shared with other entities or sold or transferred without proper authorization. This is one of the requirements for ensuring that bespoke and custom software meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.

According to requirement 4, PAN must be protected with strong cryptography for transmission over private wireless networks, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception of cardholder data over wireless networks. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.

when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.

According to the PCI DSS v3.2.1 Quick Reference Guide1, a compensating control must address the risk associated with not adhering to a PCI DSS requirement and must be approved by an authorized person before implementation. This is one of the requirements for reducing or eliminating a risk that cannot be eliminated by other means

all network transmissions must be logged by an entity’s security information and event management (SIEM) system or equivalent tool, which means they should record all network events and activities related to cardholder data processing and transmission. This is one of the requirements for ensuring that network transmissions are monitored and audited.

According to the PCI DSS v3.2.1 Quick Reference Guide1, an internal NTP server that provides time services to the cardholder data environment is in scope for PCI DSS if it stores processes or transmits cardholder data, regardless of whether it provides authentication services to systems in the DMZ or not. This is one of the requirements for preventing unauthorized access to cardholder data using time services.