PCI DSS Compliance and the Value of Training Your Employees – Semafone Guest Blog

PCI DSS Compliance

CFISA CEO Michael Levin Guest Blog Article on the Semafone Website

Every business and consumer should be concerned about the security of their credit card data. PCI DSS stands for the Payment Card Industry – Data Security Standard. It sets policies and procedures for businesses of all sizes to help implement security best practices in the handling, transmitting, processing and storing of customer credit card information.

When you think of credit card security best practices, do you think about how you expect a business to protect your credit card information when you make a purchase?

  • Would you want a business throwing your printed full credit card receipt information into a dumpster?
  • Would you be happy if a business emailed or transmitted your credit card number over the internet unencrypted?
  • Would it be OK with you if employees left your credit card information on their desk in plain view while they went to lunch?
  • How would you feel if your credit card information was stored on a laptop and the laptop was stolen from a parked vehicle?
  • Would you be angry if your credit card information was stolen because a business was careless with security of your credit card data?

PCI DSS was created to address these issues and create security best practices for the credit card industry including all businesses that accept credit cards.

PCI DSS Security Awareness Training is a Required Best Practice

One of the important requirements of PCI DSS compliance involves the PCI security awareness training of employees upon hire and annually. This training must be conducted yearly and can be completed in conjunction with the signing of the acceptable use policy statement.

The acceptable use policy statement describes the policies and procedures employees are required to follow when using company computers and resources.

If you accept, manage, or transmit Credit Cards and the personal information contained in the card, you need to train your employees upon hire and annually to be PCI DSS compliant.

Employees are on the front line to protect the credit card information and their understanding of the rules and vigilance is imperative.  Training all employees on the rules of PCI DSS compliance should be one of the first steps required when starting this process.

Important PCI DSS Training Topics

Whether your employees work at the front desk with customers or in a back office, they are equally responsible to follow the PCI DSS rules.

Employees need to be aware that if they see a problem with the way credit card data is being handled that they report this to their manager as soon as possible. This is an important piece of the PCI DSS security awareness training requirement.  

Here are some of the most important topics that must be included in PCI DSS Training:

  • All employees must insure that any third-party vendors including repair staff are legitimate and authorized to be onsite.
  • Employees must always verify that any vendor to access areas where credit card data is stored is approved and are authorized.
  • Criminals will also try to pose as authorized maintenance personnel in order to gain access to point of sale devices.
  • All third parties that request access to any computer or point of sale device must be verified before being provided access.
  • There are clear policies that insure that credit cards are only processed on devices or computers designated for this purpose and that customer pins or account data is never stored on any device.
  • Any computer used for the processing of credit cards can only be used for this purpose.
  • No employee or maintenance staff is ever authorized to unplug or remove the point of sale device and the disabling of anti-virus software on any work computer is not allowed.

The education of all employees on PCI DSS rules is now a required best practice for all organizations that process credit cards.  It is imperative that employees always treat customer credit card information, as they would want their own information to be protected.