My organization already does background checks as part of the hiring process. Will it be necessary to run them again as part of a PCI compliance process? If so, to what standard?
Requires Free Membership to View
SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!
Michael S. Mimoso, Editorial Director
The PCI has published a document called the Qualified Data Security Company Requirements (QDSC). Section 4 of that document explains how policies and procedures related to background checks may be evaluated in terms of the QDSC requirements. From what I can see, this is evaluated on a case-by-case basis, and though there is reference to a set of "QDSC's personnel background check policies and procedures" on page 11, I can find no such documents anywhere on the Visa Web site.
The closest I could find was in a PCI Security Audit Procedures and Reporting document, where Section 12.7 covers screening potential employees to minimize the risk of attacks from internal sources, which states:
"Inquire of Human Resources Department Management and determine that there is a process in place to perform background checks on potential employees who will have access to systems, networks, or cardholder data. These background checks should include pre-employment, criminal, credit history, and reference checks."
My advice would be to contact Visa and to ask them if they can supply more detail, or if their qualification process as an approved vendor will jump this hurdle along with others along the way to such status.
This was first published in October 2006