I’m writing an article series that includes some information about PCI DSS. In my research, I noticed something interesting – almost comical – about Requirement 12.7:
Screen potential employees to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
So, “access to one card number at a time” won’t put credit card data at risk? An employee with a shady history could gather quite a few credit card numbers day in and day out this way…
I know it’s not realistic to screen every employee all the time – especially in high turnover jobs. Rather, I’m just pointing out how information security is not black and white and there are always loopholes and gotchas.