How extensive must background checks be for employees who have access to cardholder data?
In general, it is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions, and what that impact would be. The check should be exhaustive enough (within the constraints of local law) to reduce the risk of fraud from internal resources. Examples of criteria that, if permissible by law, could be checked include employment history, criminal records, credit history, and reference checks.
To be effective, the level of background checking should be appropriate for the particular position. For example, positions requiring greater responsibility or that have administrative access to critical data or systems may warrant more detailed background checks than positions with less responsibility and access. It may also be appropriate for the policy and process to cover internal transfers, where personnel in lower risk positions, and who have not already undergone a detailed background check, are promoted or transferred to positions of greater responsibility or access. .