GRCWatch
Sign inStart free trial

PCI DSS 12.7.1: Conducting Background Checks Before CDE Access

Personnel access to cardholder data demands trust verification. PCI DSS 12.7.1 requires background checks before any employee begins work in your cardholder data environment. This foundational control reduces insider threats and ensures your payment security posture meets regulatory standards.

What this means

All individuals who will have access to the cardholder data environment (CDE) must undergo background checks prior to employment. These checks verify identity, employment history, and criminal records, establishing a baseline of trustworthiness before granting system access. The requirement applies universally—no exceptions for contractors, vendors, or temporary staff.

How to comply

  1. 1.Define what constitutes CDE access in your organization and identify all personnel requiring checks
  2. 2.Select a reputable background check provider compliant with local employment laws
  3. 3.Establish clear background check criteria aligned with your organization's risk tolerance
  4. 4.Document the background check process and retention timeline in your information security policy
  5. 5.Conduct checks before granting access—not retroactively—and maintain records for all personnel
  6. 6.Review and renew background checks at appropriate intervals based on your defined policy
  7. 7.Train hiring managers on this requirement to prevent access provisioning before checks complete

Evidence auditors look for

  • Background check authorization forms signed by candidates before employment
  • Completed background check reports from third-party vendor showing verification date
  • Employee records documenting background check completion prior to CDE access activation
  • Access provisioning logs showing access granted only after check clearance
  • Policy documentation defining background check requirements and scope
  • Audit trail showing background check renewal dates for existing personnel

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch tracks background check completion dates and flags personnel with expired or missing checks before CDE access is provisioned, eliminating manual oversight gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.7.2 — Maintain Personnel Awareness and Training on Security PoliciesPCI DSS 7.1 — Limit Access to CDE by Business NeedPCI DSS 8.1 — Manage User Identification and Authentication