If your organization accepts payment cards, PCI security requires you to protect cardholder data and sensitive authentication data wherever it is processed, stored, or transmitted — but doing so is easier said than done. Weak or lack of PCI security training is reflected in repeated reports of credit card data breaches large and small by respected and well-known retailers, social media platforms, hospitality providers, medical providers and the financial services industry, just to name a few.
The causes for merchants’ difficulty in meeting PCI DSS requirements cannot be attributed to just one cause – lack of time and resources, cost of upgrades, and lack of knowledge can all play a significant role. PCI security awareness training may not be able to solve all these problems. But ensuring that your employees understand their responsibility for protecting cardholder data is a big step in the right direction. When it comes to PCI compliance, your people make a big difference – by carrying out their roles and understanding how their actions affect the entire process. Your IT team can implement secure processes at every step of the electronic system, but if someone in the Finance department or a customer service representative doesn’t understand the reasons for and requirements of the plan – and bypassing security measures is easier or faster – one person can put your entire organization at risk.
This course is designed to help. It introduces PCI DSS from an organizational perspective, touching on various roles in the process so each employee gains an understanding of their niche and their importance to the success of your entire organization. By promoting PCI security awareness across multiple departments, an organization encourages wide ownership and a team approach to addressing this critical security standard – significantly increasing your payment security and reducing the odds of someone compromising the process unintentionally.
Introduction to PCI DSS Course Description
GLS’ PCI DSS Introduction, online course 5610, is a comprehensive payment security and PCI training course that will help your personnel gain awareness of PCI DSS requirements. It not only covers the basics, but also includes engaging scenarios that help employees understand how the requirements apply to a variety of departments including IT, finance/accounting, and customer service. It meets your PCI training needs by covering the following topics:
- The purpose and requirements of PCI DSS
- Benefits of compliance
- Costs associated with non-compliance including risk of data breaches and fraud
- PCI DSS departmental responsibilities in a typical organization
- The areas of a credit card that contain cardholder data (CHD) and sensitive authentication data (SAD)
- Examples of typical attack vectors and best practices for ensuring safety
- Details about changes in the latest version of PCI DSS: version 3.1
This PCI employee training course goes beyond the basics of PCI DSS to discuss advanced content such as compliance requirements, consequences of non-compliance, responsibilities of each department and best practices for employees to ensure compliance. It is useful for gaining a high-level understanding of an organization’s responsibility for designing a secure company-wide system to protect and manage cardholder data, as well as the requirements that such a system must meet.
Duration: 30 minutes; abbreviated Essentials version also available.
Who Should Take This Course?
This is a general PCI DSS security awareness course designed for all levels of an organization. It includes details relevant to finance/purchasing, back end payment processing, administrative tasks, point-of-sale, legal and information technology, among others.
Is PCI Training Required?
Most of the PCI DSS requirements address security from a technological perspective. The latest version of the “PCI DSS Requirements and Security Assessment Procedures, Version 3.2.1,” published in May, 2018, outlines mandatory details for firewall configuration, encryption, password use and anti-virus software, amongst others. However, Requirement 12.6 addresses PCI DSS from a different avenue – training. It states that organizations must, “implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.” This indicates a clear expectation that organizations will require PCI training at least annually, and that employees will acknowledge in writing that they have read and understand the organization’s payment security policy.” (1)
1 PCI Security Standards Council. (2018, May) Requirements and Security Assessment Procedures Version 3.2.1. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1562025478147