How extensive must background checks be on employees who have access to cardholder data?
PCI DSS requirement 12.7 states, ?Screen potential employees to minimize the risk of attacks from internal sources.? It further states, ?For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.? In general, it is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions (and what that impact would be). The check should be exhaustive enough (within the constraints of local law) to reduce the risk of fraud from internal resources. Examples of criteria, if permissible by law, that could be checked include employment history, criminal records, credit history, and reference checks.