PCI DSS requirement 12.7 states, ?Screen potential employeesIn general, it is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions, and what that impact would be. The check should be exhaustive enough (within the constraints of local law) to minimizereduce the risk of attacksfraud from internal sources.?resources. Examples of criteria that, if permissible by law, could be checked include employment history, criminal records, credit history, and reference checks.
To be effective, the level of background checking should be appropriate for the particular position. For example, positions requiring greater responsibility or that have administrative access to critical data or systems may warrant more detailed background checks than positions with less responsibility and access. It further states, ?For those employees such as store cashiersmay also be appropriate for the policy and process to cover internal transfers, where personnel in lower risk positions, and who only have accessnot already undergone a detailed background check, are promoted or transferred to one card number at a time when facilitating a transaction, this requirement is a recommendation only.? In general, it is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions (and what that impact would be). The check should be exhaustive enough (within the constraints of local law) to reduce the risk of fraud from internal resources. Examples of criteria, if permissible by law, that could be checked include employment history, criminal records, credit history, and reference checks.positions of greater responsibility or access..
