Putting the ass in assessment, redux

(Today’s topic brought to you by Dave Newell.) So, I don’t know if you’ve read it, but the PCI assessment standards manual makes for some fantastic reading. Not. It’s kind of like reading a John Grisham thriller, but without all the fast-paced action and interesting plot. Anyway, so to tee up today’s ranting, take a look at the following from the PCI DSS Assessment Procedures:

12.7 Inquire of Human Resource department management and verify that background checks are conducted (within the constraints of local laws) on potential employees who will have access to cardholder data or the cardholder environment. (Examples of background checks include pre-employment, criminal, credit history, and reference checks)

OK, pretty standard stuff, right? But here’s a question that we’ve been struggling with over the past few weeks. What’s the level of expectation that firms do credit check as part of on-boarding and what criteria should firms use for evaluating when using credit history as a factor? The “first blush” temptation in looking at this is to say “it says example, chump… obviously it’s not required at all