Retail Payment Processing: Many Roles, One Goal

Credit cards, debit cards, gift cards, mobile payments – retailers must support multiple payment card options for customers, both in-person and online. This makes buying more convenient for clients, but increases payment security challenges for retailers. Payment processing requires multiple steps and multiple people, broadening the scope of your security threat. Despite the many roles that play a part in payment card processing – sales associates, accounting, accounts receivable, and more – they all should share a single goal: secure payment processing at every step that protects the sensitive cardholder data of your customers.

Despite our best efforts, criminals have had no trouble keeping pace with advancements in payment security measures, while also continuing to exploit many “old-school” strategies to steal payment data. Regular announcements of high-profile breaches attest to their success and show that complying with PCI DSS requirements to protect cardholder data is difficult and vitally important.

PCI Training Can Help

One important means of improving your security stature as a merchant and meeting your goal of secure payment card processing is annual PCI training for your staff. Requirement 12.6 of the PCI DSS asserts an annual requirement for organizations to “implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.” (1) Choosing the right training for your staff is essential. Retail employees are the face of your organization – talking to customers and processing customer payment data hundreds of times a day. Training them in PCI security awareness and teaching them payment security best practices is your best defense against breaches, retail fraud and the risks of mishandling cardholder data. 

PCI Training Built for Retail

GLS’ PCI DSS for Retail (8247) is PCI compliance training designed specifically for your retail associates. It is divided into four engaging self-paced modules that feature the essential knowledge needed by employees who handle cardholder data and payment card transactions, to keep that data protected. The training offers tailored learning pathways for card present and card not present environments and an optional advanced module for managers or other employees requiring additional insight into fraud identification, reporting and other security practices. Each module is 5-7 minutes long and learners take only the modules that apply to their role.

The topics that users see depend on the roles they perform. For example, if the user selects the role “Handling both in-person and other forms of transactions”, he/she sees modules 1, 2 and 3 but not module 4. If he/she selects “Playing a leadership role in securing in-person transactions”, he/she sees modules 1, 2, and 4, but not module 3. The first module with the introductory information is always included. Depending on the user’s role, various combinations of the following modules are presented:

Module 1: Introduction to PCI DSS introduces all learners to the PCI DSS requirements for their daily work and explains why these requirements are important to follow. It covers the following topics:

  • Actors in payment card processing
  • Threat vectors in payment processing
  • Identifying and protecting sensitive data
  • Overview of PCI DSS Requirements 8 and 9, addressing secure use of payment systems and secure handling of physical copies of cardholder data

Module 2: Card Present (CP) Environment focuses specifically on PCI training requirements for retail associates who see or handle payment cards in their daily work. It covers the following topics:

  • Payment card security features
  • Processing CP payments
  • Inspecting payment terminals
  • Identifying suspicious customer behavior
  • Recognizing counterfeit cards

Module 3: Card Not Present (CNP) Environment addresses the PCI training requirements for associates who process cardholder data but do not see or handle the actual payment cards.  This module is designed for employees who take orders over the phone or process mail, fax or ecommerce orders (MOTO transactions). It covers the following topics:

  • Processing CNP payments
  • PCI best practices for processing phone, fax, mail and ecommerce transactions
  • Recognizing signs of fraud in ecommerce orders
  • General back office cybersecurity best practices

Module 4: Advanced Topics is designed to take PCI security awareness training to the next level.  Employees taking this module will learn about restricting access to sensitive information, as well as additional risks to retail organizations and mitigation strategies that can apply to any retail environment.  It covers the following topics:

  • Restricting access to cardholder data (PCI DSS Requirement 7)
  • Handling additional payment issues (e.g., unsigned cards, etc.)
  • Reporting a potential security incident
  • Spotting tampering/Establishing a payment terminal inspection program
  • Common scams and psychological manipulation/social engineering
  • General office cybersecurity best practices

References

1 PCI Security Standards Council. (2018, May) Requirements and Security Assessment Procedures Version 3.2.1. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1562025478147