What does 12.7 require regarding screening before hire?

• A. Screen potential personnel prior to hire, including past employment history, criminal record, credit history, and references.
• B. Screen only executives.
• C. Screen only after employment begins.
• D. Do not perform background checks.

Answer: (A)

Screening potential personnel before hire to reduce risk to cardholder data is what PCI DSS 12.7 requires. It directs organizations to perform background checks on candidates prior to granting access to systems that handle cardholder data. The checks typically cover past employment history, criminal records, references, and, where allowed by law, credit history. This pre-employment verification helps ensure that individuals entrusted with sensitive information have trustworthy backgrounds and are less likely to become insider threats or be vulnerable to coercion. The other options do not meet the requirement: limiting screening to executives, screening only after employment begins, or not performing background checks all fail to align with the mandated pre-hire screening practice.