SRM's PCI Devil on Twitter

Follow our PCI Devil on TwitterExpert comment on the latest developments in PCI DSS:

PCI Devil just tweeted: a scaled approach solves requirement 12.7!

Requirement 12.7 of the PCI DSS states that organisations "should screen their employees to minimize the risk of attacks from internal sources".

But what does this mean in practice? Should you screen everyone? Or just the people handling card transactions and customer data? And to what extent and when?

Defining the scope and scaling the response is once again the key to meeting this criterion.

Thankfully, you almost certainly won't have to screen everyone in your organisation because that's probably above and beyond what is required to meet 12.7 of the PCI DSS - if an employee has no access to customer card data and is never exposed to it then there is arguably no need to screen them for the purposes of meeting PCI DSS 12.7. This is exactly what we mean by a scaled approach.

Firstly, we would suggest carrying out an operational risk assessment to identify who is handling customer card data and to what extent i.e. how much access do they have, how often, and how much card data is actually exposed to them in one go? For example: do they have access to the details of multiple card transactions in one go, or do they only process one transaction at a time with very limited exposure to the data? It's asking these sorts of questions that will enable you to determine who needs to be screened and to what level.

A rough guide would be to say that the more data someone handles in one go, the more in-depth the screening should be, and we would suggest completing the screening before you employ someone, mainly because once you grant someone access privileges to your customers' card data they technically become part of your risk portfolio.

As for the level of screening, it depends. How much assurance do you want? The more in-depth the screening, the higher the level of assurance achievable. For example, for employees such as store cashiers, who only have access to one card number at a time when handling a transaction, carrying out a Basic CRB check, and verifying two previous employers along with a credit search may be more than enough to satisfy your need for assurance. However, for those people handling multiple transactions in one go and with access to the whole range of customer data then you might want to go further and aim for the British Standard 7858.

Our screening division can help you understand what we can do to help you satisfy this requirement and achieve the appropriate level of assurance. Find out more >

More About PCI DSS

Find out more from these PCI related websites:

  • Call the PCI Team > 08450 21 21 22
Quote SRM IN THE PRESS THE NEXT EVENT BREAKING NEWS

PCI DSS Services

We offer the following PCI DSS services:

  • PCI DSS Advice - our PCI specialists will advise you how to achieve PCI DSS compliance in relation to your particular organisation.
  • PCI DSS Remediation - after defining the scope of your PCI project, our PCI advisors will identify the areas that need remediation in order for your organisation to become PCI compliant.
  • PCI DSS Audit: SRM are a QSA for PCI DSS - our PCI specialists will carry out the audit against the Payment Card Industry Data Security Standard.

What stage are you at?

PCI DSS Analysis StagePCI DSS Remediation StagePCI DSS Auditing & Accreditation StagePCID DSS - Ongoing compliance

Not sure? What is PCI DSS all about? >

BREAKING NEWS

SRM at the BCM show - Find out more >

IN THE PRESS

Read Paul Brennecker's exclusive interview with Computing Magazine >

HTML 4.01 Validation logo  Valid CSS logo