The new PCI DSS v4.0 makes hiring risks a top compliance concern for UK firms handling card data
PCI DSS v4.0 is now fully mandatory. For UK organisations handling card data, the risks of getting personnel screening wrong have never been greater. Here is what compliance looks like in 2026.
The Breach You Did Not See Coming
Most major payment card data breaches do not happen because of advanced hacking or nation-state attacks. Instead, they usually begin with an insider—someone who has legitimate access, acts maliciously, is tricked by others, or should not have been hired in the first place.
The Payment Card Industry Data Security Standard was designed to prevent insider breaches. However, while companies spend a lot on technical controls like firewalls, encryption, tokenisation, and MFA, they often overlook personnel screening.
Since PCI DSS v4.0 became fully mandatory for UK organisations in March 2025, clear compliance actions on hiring now include conducting thorough personnel screening, documenting decisions, and ensuring these steps align hiring practices with the standard.
What PCI DSS Actually Requires and Why Most Organisations Fall Short
Requirement 12.6 of the standard is clear: organisations must screen potential personnel before hiring to reduce the risk of internal attacks. This rule applies to anyone with access to the cardholder data environment, including all employees, contractors, consultants, and temporary workers who handle card data or related systems—not just IT staff or senior managers.
To meet compliance, review and assign screening according to each role's risk and access level, document every check, and ensure these steps comply with UK employment law and PCI DSS documentation requirements.
Many organisations use a single screening package for every role or only screen at onboarding. Under v4.0, regular rescreening is now required.
What Changed When v4.0 Became Mandatory in March 2025
The transition from PCI DSS v3.2.1 to v4.0 was the most significant overhaul of the standard in more than a decade. For personnel security specifically, three changes make non-compliance more likely than before.
The first major change is the strengthening of Requirement 12.6 on security awareness training. Under v4.0, training is no longer just an annual formality. It must specifically cover phishing, social engineering, and the proper use of technology, with content reviewed and updated each year to match current threats. Organisations still using the same training materials for three years are already non-compliant.
Organisations must now (1) document how often they rescreen personnel with cardholder data access based on a formal risk assessment and provide evidence of this process, (2) apply updated training under Requirement 12.6 annually, and (3) maintain continuous access verification in line with Requirement 8.
The Checks That Matter and the Ones That Get Skipped
For UK employers building a PCI DSS-compliant screening framework, the minimum requirements are well established. Identity verification and right to work are non-negotiable. A DBS criminal records check — Basic or Standard for most roles, Enhanced where seniority or data access warrants it — forms the criminal history baseline. Credit and financial probity checks address the FCA's financial soundness criteria and flag CCJs, bankruptcies, and IVAs that may indicate elevated insider risk.
Employment history should be verified for at least three years, including a full gap analysis, and reference checks from at least two previous employers are standard. For roles with higher system access, global sanctions and watchlist screening—including PEPs, HM Treasury, and OFAC lists—should be treated as mandatory, not optional.
To remain compliant, organisations must justify any skipped checks, such as adverse media, directorship, or rescreening after promotions or access changes, through documented risk analyses. No check can be omitted without a documented rationale for compliance.
The Third-Party Problem
One of the least-discussed compliance gaps in PCI DSS concerns how third-party service providers are handled. Managed service providers, software vendors, call centres, and payroll processors that deal with cardholder data for other organisations must meet the same requirements. However, responsibility for compliance often falls between procurement and information security teams.
PCI DSS v4.0 requires that third-party personnel with CDE access be screened to the same standard as direct employees. Organisations must use contracts or vendor management processes to make sure third-party compliance is reviewed and verified.
The March 2025 deadline marked the end of the v3.2.1 grace period — but it did not mark the end of the transition. Many of the v4.0 future-dated requirements that were introduced alongside the main standard are still being absorbed by organisations at various stages of their compliance cycle.
The PCI Security Standards Council has indicated it will continue to focus on customised compliance validation. This means organisations can use alternative controls assessed by a Qualified Security Assessor rather than following only strict requirements. As more organisations choose this approach, the documentation workload—including for personnel screening decisions—will increase rather than decrease.
For UK organisations, the 2026 compliance cycle will also be shaped by the broader regulatory environment. The FCA's ongoing supervisory focus on financial crime controls, combined with the ICO's increasing attention to data breach accountability, means that the consequences of a cardholder data incident are no longer limited to PCI DSS fines alone.
How Avvanz Supports PCI DSS Screening
Avvanz ScreenGlobal is a multi-award-winning background screening platform trusted by retailers, financial services firms, e-commerce businesses, and payment service providers across the UK. We have helped hundreds of UK organisations build PCI DSS-aligned screening programmes that meet assessor requirements and hold up under scrutiny, including the tougher documentation and risk analysis obligations introduced with v4.0.
Our screening packages integrate all required checks—identity, right to work, DBS criminal, credit, employment history, references, and global sanctions—into a single auditable workflow. Every check is tracked to support audit needs.
Whether you are starting a programme from scratch, rescreening staff after a v4.0 gap analysis, or need a platform that works across multiple sites, job types, and third-party relationships, Avvanz has the expertise and infrastructure to make the process simple.
Contact us at consult@avvanz.com or request a demo today.