Payment Card Industry (PCI) Data Security Standards Practice Test

PCI DSS Requirement 12.7 requires screening and background checks for which of the following?

• A. All personnel employed by the organization
• B. Personnel with access to a cardholder data or the cardholder data environment
• C. Visitors with access to the organization's facilities
• D. Cashiers with access to one card number at a time

The correct answer is: All personnel employed by the organization

The correct focus within PCI DSS Requirement 12.7 is on the necessity for conducting screening and background checks specifically for personnel who have access to cardholder data or to the cardholder data environment. This requirement aims to ensure that organizations are taking appropriate steps to safeguard sensitive information by vetting individuals who may have the potential to compromise that data. While it may seem like a comprehensive approach to screen all personnel, the essence of PCI DSS is to implement controls that are proportionate to the risk involved, particularly in relation to sensitive data. Therefore, the requirement is more focused on those individuals who have direct access to critical data rather than applying broadly to all personnel. This targeted screening helps bolster the overall security posture of the organization by ensuring that only trusted individuals are granted access to sensitive information. The emphasis on personnel with access to cardholder data ensures that organizations can mitigate the risks associated with insider threats and other vulnerabilities, enhancing the trustworthiness of their operations regarding sensitive payment information.