Employee Requirements
There are two main requirements that some potential and current employees must comply with in order to process payment cards: new hire background checks and annual training.
New hire background checks
A pre-hire background check is required for any position considered "security-sensitive." Units must coordinate with their Human Resources office to ensure that notification of the position requiring a background check is included in any publicly-advertised position postings as well as the job position description. Candidates must agree to this pre-hire background check before make an official employment offer.
Payment card processing is considered “security-sensitive” when an employee can access multiple card numbers at any one time or if card numbers are on paper or in electronic format. For example, a background check would be required for a position that included access to system or summary reports that contained information about multiple cardholders.
Background checks are recommended, but not required, for positions (like a cashier) with access to only one card number at a time when facilitating a transaction.
Annual training
Employees who handle, or supervise those who handle, payment card data as part of their job duties are required to complete the Payment Card Data Security Training annually. A portion of this tutorial includes reviewing appropriate policy and procedures. In addition, when units submit their PCI DSS Self Assessment Questionnaire (SAQ) they affirm that the appropriate staff have completed annual training (in requirement 12.6).
Duties that would require training include: processing transactions, reconciling transaction activity that includes payment card data, and managing or operating systems that store, process, or transmit payment card data.
New hires should complete this training before beginning in their position.