PCI Requirement 12.7 impacts your human resources department and hiring process. We’ve focused so much on external risks, but PCI Requirement 12.7 asks organizations to screen potential personnel prior to hire to minimize the risk of attacks from internal sources. Background checks could include previous employment history, criminal record, credit history, and reference checks.
Background checks are a common aspect of hiring processes, but it’s a requirement of the PCI DSS because personnel will be handling cardholder data. You want to be sure that whoever is handling cardholder data isn’t going to do so in a malicious or careless way. What if you hired someone who had a criminal record, and they ended up using PANs in an unauthorized way? Screening potential personnel is a way to prevent situations like this from occurring and reducing risk to your cardholder data.
In PCI Requirement 12.7, the assessor is going to want to spend a little bit of time with your HR individuals. We’re required from the PCI DSS perspective to perform some type of background check on the individuals that you would be hiring. This is required for all individuals; it’s really only required for those individuals that might have access to more than one piece of cardholder data at a time. Your assessor is going to look for evidence that the background checks have taken place. We’re not really so much concerned about what the merits of the background check are – we just want to verify that the background check has taken place.