• Access to one card at a time isn’t a bad thing?

    15 Aug 2008

    I’m writing an article series that includes some information about PCI DSS. In my research, I noticed something interesting – almost comical – about Requirement 12.7:
    Screen potential employees to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

    So, “access to one card number at a time” won’t put credit card data at risk? An employee with a shady history could gather quite a few credit card numbers day in and day out this way…

    I know it’s not realistic to screen every employee all the time – especially in high turnover jobs. Rather, I’m just pointing out how information security is not black and white and there are always loopholes and gotchas.