September 1st, 2015 | Sterling

PCI-DSS and Employee Background Checks

With each and every update of the Payment Card Industry Data Security Standard (PCI DSS) comes a fresh surge of enquiries at SterlingBackcheck regarding guidance on screening personnel.

The Standard was introduced in 2006, “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally”. It has changed relatively little since its inception and there has always been a requirement for background checks as part of PCI DSS Control Objective 6 / Requirement 12, which covers the need to maintain a policy that addresses information security for all personnel. The current directive is as follows:

“12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.” Examples of appropriate types of background checks may include previous employment history, criminal record, credit history, and reference checks.

It is also worth pointing out that since PCI DSS was introduced there has been a recommendation (rather than a requirement) for personnel with access to credit/debit card details on an individual transaction basis, such as store cashiers, to be screened.

It should be noted that PCI DSS stipulates, “for the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.”

The most comprehensive guidance regarding screening personnel was actually issued by the PCI Security Standards Council back in October 2010 – “Navigating PCI DSS – Understanding the Intent of the Requirements“.

The advice here states that, “it is expected that a company would have a policy and process for background checks, including their own decision process for which background check results would have an impact on their hiring decisions (and what that impact would be).” There is also a strong suggestion that positions with greater responsibility or administrative access to data or systems would necessitate more robust screening. Further guidance indicates the need to have provisions within the firm’s background checking policy for vetting current personnel, should promotion or internal transfer result in greater levels of access or responsibility which would warrant enhanced and/or repeat checks.

However it could be argued that the Testing Procedures outlined in “Requirements and Security Assessment Procedures” may not go far enough, particularly in light of the guidance issued by the PCI Security Standards Council, around promotions and internal transfers. Perhaps later versions of the document will also include requirements for vetting existing personnel, or certain elements of the background check, on a regular basis, in the same way that other areas of PCI DSS require annual risk assessment?

So why should ongoing vetting be necessary if background checks have to be conducted prior to hire anyway? A fair question, but consider for a moment that PwC’s Global Economic Crime Survey 2014 reported that 56% of fraudsters come from within organisations. Furthermore the profile of a typical internal fraudster would be someone who has served their employer for 6 years or more. Several of the regulated industries in the UK (i.e. education, healthcare, security and financial services) have for many years included elements of background checks, which require ongoing vetting of personnel and some firms may already interpret the spirit of PCI DSS to include these additional measures.

It is clear that employers have a fairly blank canvas when it comes to which background checks to include when screening personnel for PCI DSS compliance, as only a handful of examples are mentioned in the Standard. The key consideration being that background checks should be conducted “within the constraints of local laws,” which is very sound advice indeed. However, whilst there is nothing to stop firms rolling out the same checks across all personnel, a case could easily be made to weigh up the need for enhanced screenings to address groups or individuals with greater areas of risk and/or access to data.

Employers need to be mindful of the fact that it is not just a question of whether or not credit or criminal record information is actually available in certain countries, but whether or not the information can legally be used (for employment screening purposes) in the hiring country. There are numerous examples of countries across the globe where, although there is a mechanism in place for accessing criminal records, such information should only be sought when the individual is being employed overseas in countries where local employment law permits the use of criminal record checks for employment purposes. A further layer of complication arises in countries where only a very restricted group of individuals would be considered eligible for criminal record and/or credit checks, whilst these background checks would be inappropriate (and illegal) for the majority of the nation’s workforce.

Hopefully this post has shed some light on:

• The requirement for personnel screening as a key component to achieve PCI DSS compliance;
• The need to consider what background checks would be permissible for different countries;
• Whether or not to introduce multiple levels of screening for different personnel / risk groups;
• The importance of vetting existing personnel, as well as the requirement for screening prior to hire;

Please note that this post is intended to be informative and practical, but should not be considered legal advice. Please liaise directly with your legal counsel for guidance.

If you have any questions or you would like to find out more about how we can help to structure your screening programme to meet PCI DSS requirements please don’t hesitate to get in touch.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.