According to PCI Compliance requirement 12.7, merchants must vet employees and contractors who have any contact with cardholder data. Increasingly, large retailers are asking their solution providers to assure such checks for those installing and maintaining POS systems. Some ISVs have begun urging their dealers to comply.
Makes sense. With theft of card data a growing issue, it's a no-brainer that you wouldn't want the wrong people working on systems that process this sensitive data.
The problem is, PCI 12.7 is extremely vague. Notice it doesn't say what that background check should include: Criminal records? Driving records? Dental records?
Part of that is because of its global jurisdiction; in some European countries, for example, it's illegal to do employee background checks, and U.S. state laws vary, so the rule has to accommodate variations. Like many similarly vague government rules, the particulars are likely to ultimately be established in the courts, when the inevitable lawsuits surrounding breaches delve into due diligence in security measures.
Setting the Standard
In the meantime, it's up to VARs to decide what a background check should be, and how they'll handle information that may come out of them.
DCRS has been doing background checks for 10 years, ever since the St. Louis VAR's car insurance company requested them for employees using company cars. Steve Kramer, the company's vice president, realized it wasn't a bad idea to clear new hires' backgrounds anyway; some merchants pay cash (a whole other subject), and you wouldn't want someone with, say, a recent bankruptcy filing to be handling cash on your behalf.
"I do it at the final cut in the hiring process, if I'm ready to make an offer," Kramer says.
But the fact is, many smaller VARs don't do background checks. PCI might well be the impetus to change.
Membership Has its Benefits
Members of the Retail Solution Providers Association (RSPA) can obtain background checks at a 30-plus percent discount from Pre-employ.com, the service Kramer has long used; that puts a $120 to $125 check down in the $75 to $80 range. In the absence of any specifics in the rule, RSPA and Pre-employ.com took a look at best practices in the health care and financial industries and put together a package that includes criminal, credit, and motor vehicle reports, five years of employment history and optional checks such as anti-terrorist and sex offender lists. The service includes both database checks and hands-on county-level records searches in the appropriate jurisdictions.
But it's up to VARs to decide what they want to check, and what to do with the results. Issues include:
What to check. What's the profile of someone who will steal card data? There's no well-established profile, but crimes related to fraud are an obvious worry.
Whom to check. Potential new hires are an obvious choice, but what about long-standing employees? Some VARs elect not to do checks for long-tenured staff. "If it were me, I'd check technicians and programmers - anybody who will or could have access to files on the system, or anybody doing training," suggests Joe Finizio, president and CEO of the RPSA.
What to do with the information. According to Pre-employ.com, 10 to 15 percent of its checks reveal a criminal record. VARs need to consider the nature of a crime or other finding and what else is known about that person - particularly a long-standing employee. Robert Mather, CEO at Pre-employ.com, recommends: "Don't try to do a background check in secret, don't be afraid to show the person the results, and use it as a way to open communication and dialog."
According to PCI Compliance requirement 12.7, merchants must vet employees and contractors who have any contact with cardholder data. Increasingly, large retailers are asking their solution providers to assure such checks for those installing and maintaining POS systems. Some ISVs have begun urging their dealers to comply.
But the fact is, many smaller VARs don't do background checks. PCI might well be the impetus to change. 
