What Does the PCI DSS Say About Employee Background Checks?

October 22, 2014 • Published Categories PCI 101 Tags , ,

Question: Can you tell me what “employee background” requirements are for PCI compliance? If a potential employee has any arrest/conviction of any kind (felony or misdemeanor), can they not be hired or work in a PCI compliant call center?

Answer: The PCI DSS requires (via Requirement 12.7) that a background check be performed on any prospective employee who will have access to cardholder data or the cardholder data environment. Background checks are also recommended (but not required) for employees who only have access to one card number at a time when facilitating a transaction, such as store cashiers.

Background checks can include verification of previous employment history, criminal record, credit history and reference checks. The PCI DSS does not specifically say you have to do all of these things, only that you ensure background checks are completed prior to hire and that you conduct the background checks “within the constraints of local laws.”

So, while you are free to do some or all of the above mentioned actions, we recommend that you do the maximum allowed by your local laws.

Leave a Comment