Per section 12.7 of the PCI DSS Security Audit Procedures it states that HR needs to perform background checks on potential employees who will have access to cardholder data...etc.

Who is responsible for approving this based on the background check. In other words, If an organization has an employee that has been employeed by them for many years and now needs to handle credit card data and the background check comes back with a bunch of red flags (i.e. previous theft) what happens? Whos choice is it to let that person either have access or deny access, upper management (the company)? or PCI DSS/CISP (Visa)?

Although PCI DSS requires that companies perform background checks it does not state what actions the companies must take based on the information they discover.

Also, the level of rigor in performing the background check is determiend by the company itself (with guidance provided by the DSS) because international rules may prevent certain checks from being performed.

Although PCI DSS requires that companies perform background checks it does not state what actions the companies must take based on the information they discover.

Also, the level of rigor in performing the background check is determiend by the company itself (with guidance provided by the DSS) because international rules may prevent certain checks from being performed.

hmmmm, whats the sense then? I guess maybe in case of an event, and the background check had red flags, PCI DSS can state something about "Well why did you put a person that has a record of stealing credit cards in charge" and fine away. I'm not sure that this leaves much for an argument though, after all "We" (the company) didn't think it was that bad of a background.

Interesting....can't wait to see where this leads.

On one hand it sounds like "what's the sense" but on the other you can imagine trying to enforce a global standard against local, national, and international personal privacy laws. Not easy.

There are many legal reasons for this to be as it is.

I agree...sounds like there should be something that states, "The merchant shall give careful consideration on job role (that handles credit card data) based on the results of a background check."....that or this is assumed anyway.

But anyways, my question was answered. To sum it up, after a background check its up to the merchant/company to determine the fate of the employee, not PCI DSS. The merchant/company will however be responsible (at least as far as PCI DSS is concerned) should that individual with a bad background having commited credit card theft/fraud from the merchant.

Interestingly the dealings I have had with PCI DSS have stated that background checks are not retrospective. They also only apply to those who have the ability to retrieve bulk card data. This narrows down the requirement significantly and becomes far less onerous to implement.

It doesn't help those that have already performed background checks on existing staff, but would you really take action against a long term member of staff with an exemplary work record just because of a background check that reveals something in the dim and distant past?

This is true in that background checks do not apply to employees who only have access to one card number at a time.

Requirement 12.7 states: For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

How are you doin' guys? you can call me pauline
I am a new member of this forum and I hope I'll have the chance to interact with you all!
Please try A1 Background Check (http://www.a1backgroundcheck.com/) Thanx!
have a nice day!

Interestingly the dealings I have had with PCI DSS have stated that background checks are not retrospective. They also only apply to those who have the ability to retrieve bulk card data. This narrows down the requirement significantly and becomes far less onerous to implement.

It doesn't help those that have already performed background checks on existing staff, but would you really take action against a long term member of staff with an exemplary work record just because of a background check that reveals something in the dim and distant past?

As Dr. Phil would say, let's get real here!!

The next interpretation we will hear on this blog is the need to perform back ground checks on the immediate family members of employees that have access to cardholder data.

That or "any staff member found to be delinquent paying a parking ticket, shall be dismissed from their place of work immediately".

As with most current business issues, common sense should prevail.

The PCI states that 'background checks shall be performed......." and that is all it says, reading a whole lot of clandestine meaning into this requirement is simply paranoia.

I suggest that as information security professionals, we should be more vigilant of the executive ranks of a merchant organization or service provider than the rank and file.

This is where the vast majority of white collar crime exists - just watch CNN every day!!!