For all businesses and organizations that process credit card payments, ensuring that you are following security best practices is now required. If you accept, manage, or transmit credit cards and the personal information contained in the card, you need to train your employees upon hire and annually to be PCI DSS compliant.
Employees are on the front line to protect the credit card information and their understanding of the rules and vigilance is imperative. Training all employees on the rules of PCI DSS compliance should be one of the first steps required when starting this process.
What is Employee PCI Training?
According to the PCI Security Council PCI DSS Requirement 12.6, employees must be provided PCI security awareness training upon hire and annually. This employee PCI training must be conducted yearly and can be completed in conjunction with the signing of the acceptable use policy statement.
What does PCI training include?
Training all employees is important and it does not matter if your employees work at the front desk with customers or in a back office, they are equally responsible to follow the PCI DSS rules.
Employees need to be aware that if they see a problem with the way credit card data is being handled that they report this to their manager as soon as possible. This is an important piece of the PCI DSS security awareness training requirement.
Based on many of the recent credit card data breaches the employee PCI training should include important policy topics that cover:
- Cyber security best practices including; password protection, social engineering, email best practices and phishing, safe Internet use and device management.
- All employees must always ensure that any third-party vendors including repair staff are legitimate and authorized to be onsite.
- Employees must verify that any vendor to access areas where credit card data is stored is approved and are authorized.
- Criminals will frequently pose as authorized maintenance personnel in order to gain access to point of sale devices.
- There needs to be clear policies that ensure that credit cards are only processed on devices or computers designated for this purpose and that customer pins or account data is never stored on any device.
- No employee or maintenance staff is ever authorized to unplug or remove the point of sale device and the disabling of anti-virus software on any work computer is not allowed.
Getting Started With PCI Training for Employees
Does your business provide PCI compliance security awareness training for its employees? If not, then you’re compromising the security of your customer’s credit card data.
Employees that are not aware of the policies are guaranteed to make mistakes and put customer data at risk. Employees are more apt to follow procedures if they understand the reasons behind them.
Basic steps include:
- Put all PCI DSS policies in place
- Provide PCI DSS training for employee security awareness
- Document the training
- Update your training annually
Implementing Employee PCI Training
We can’t emphasize this enough; PCI awareness training is not a “one and done” situation. In fact, the more you teach your employees about PCI credit card data security, the more secure your business will be.
Employees generally want to understand the risk associated to the mishandling of credit card data. Encouraging employees to treat customer data as they would want their own data treated is a great start for PCI training.
It is important that employees understand the acceptable use policy statement along with all other policies associated to the handling of credit cards. Just signing the policy document without understanding the risk is not an option and the training needs to cover this.
All employees at the business need to receive PCI training. Even if they do not handle credit card information, they are still required to follow all PCI DSS policies in the course of their duties. All employees are equally responsible to ensure that security best practices are being followed at work.
Want to Learn More?
If you want to protect your employees and your business from PCI DSS violations and other data breaches, contact CIFSA today at (561) 325-6050 to learn how we can help.
Founded by former Secret Service Agent and Deputy Director of the National Cyber Security Division of the Department of Homeland Security Michael Levin, The Center for Information Security Awareness (CFISA) is designed to help businesses, government agencies, and academic institutions empower their employees to fight cybercrimes. We provide personalized, engaging, compliant, and affordable training in PCI-DSS, HIPAA, InfraGard Awareness, and Cyber Security Awareness.
Remember, no matter how big or small your company is, and how well the back doors to your system are barricaded, one employee click on the wrong link, attachment, or website could open the front door. CIFSA trains your employees on the best practices to avoid potentially catastrophic data breaches.
Call us today at (561) 325-6050 to learn how we can help.