12.7 Personnel are screened to reduce risks from insider threats.

This requirement ensures that organizations conduct background checks on potential personnel who will have access to the cardholder data environment to reduce risks from insider threats.

Sub-requirements:

12.7.1 Potential personnel who will have access to the CDE are screened

12.7. Personnel are screened prior to hire.

Ensure that all personnel are screened before hire to minimize the risk of insider threats.

https://WithPCI.com

Sub-requirements

Test Points

Low (1.0)

Implementation Difficulty

Control Types

Process

Process: 1

Key Risks

Hiring high-risk personnel

Incomplete background checks

Increased risk of insider threats

Frequently Asked Questions

What screening is required for new hires?

Background checks, reference verification, and other checks as permitted by law.

Are contractors also screened?

Yes, all personnel with access to cardholder data or systems must be screened.

How are screening results documented?

Through HR records and onboarding checklists.

What happens if a candidate fails screening?

They may be disqualified from sensitive roles or employment.

How often are screening policies reviewed?

At least annually or after changes in legal requirements.

Common QSA Questions

Can you show evidence of pre-employment screening?

Yes, we maintain records of all background checks and screening results.

How are contractors screened?

Contractors undergo the same screening process as employees.

How are screening processes updated?

Policies are reviewed and updated regularly to reflect legal and business changes.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.