The Payment Card Industry Data Security Standard is a set of 12 requirements designed to ensure that all companies that process, store, or transmit payment card information keep data protected and secure.
Our interactive, engaging PCI-DSS training course teaches the 12 requirements but, more importantly, gives the learner the opportunity to apply them to real-life situations and put them into practice.
WHAT IS PCI DSS?
Video: PCI DSS protects payment card data. Maintains customer trust and safeguards our reputation.
Interactive Screen: Overview of the 12 PCI DSS requirements designed to protect cardholder data.
Scenario: Consequences of a security breach leading to the theft of payment card information.
Key Learning: All merchants must adhere to the PCI DSS. Under inspection, if a merchant fails to meet the PCI DSS, they could face litigation, fines, and removal or reduction in services from the payment card company.
Scenario: Protecting cardholder data.
Key Learning: Heavy fines and penalties are common for merchants, small or large, who fail to meet PCI DSS.
SENSITIVE DATA & VULNERABLE AREAS
Interactive Screen: Merchant-based vulnerabilities may appear almost anywhere in the card-processing system. Real-life examples of how to protect cardholder data.
Scenario: Identifying the possible causes of a data breach.
Key Learning: Retailers are responsible for maintaining security of the payment card transaction environment. This includes ensuring that computers, networks, and passwords are secure.
Scenario: Identify how to prevent breaches.
Key Learning: Storing cardholder data provides opportunities for criminals to steal data. Records should be stored only when necessary and destroyed as soon as possible.
HANDLING AND STORING DATA
Interactive Screen: The importance of ensuring payment card data doesn’t fall into the wrong hands. Real-life examples of how to handle and store payment card data.
Scenario: Ensuring the security of cardholder data.
Key Learning: Transaction information may only be kept for the required length of time, as per the card issuer’s terms and conditions. It is necessary to destroy all digital and hard-copy records as soon as they are no longer needed.
Scenario: Identifying ways to ensure network security.
Key Learning: Data must only be stored when absolutely necessary and only for as long as is required. Noncompliance can result in fines and penalties from the payment brands and can be catastrophic to a business.
Scenario: Sending payment cards from one location to another.
Key Learning: When sending high-value goods like credit or payment cards, you should only use a delivery method that has been approved by the company.
Scenario: Consequences of cardholder data falling into the wrong hands.
Key Learning: Loss of entitlement to accept payment cards, and this could destroy our business. Huge fines for each instance of payment card data that’s compromised.
Interactive Screen: Guidance on preventing breaches.
Scenario: Consequences of failing to mask PANs in a spreadsheet sent to another department.
Key Learning: Storing and disseminating payment card data in any format – handwritten, in a document or spreadsheet, an email, memory stick, or any other method – reduces the security of the data and renders it vulnerable to a breach.
Scenario: What types of data can be stored?
Key Learning: In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Cardholder name, service code, expiration date, and PAN can be stored under special circumstances, as long as it’s encrypted.
Scenario: Identify possible causes of a network breach.
Key Learning: If payment card data is processed on our computer network in any way, for example, at checkouts, online transactions, or through telephone activity, the whole network and premises must be secured to prevent unauthorized access.
MORE PCI-DSS COMPLIANCE
Companies and employees have a legal, moral, and ethical responsibility to guard against breaches of customer data.
Our training will help you know what to do AND what not to do, as you deal with customer payment card data. Remember, nothing is more important than keeping customers’ payment card data secure.
Whether the data is printed, stored locally, or transmitted over a public network to a remote server or service provider, the merchant has a role to play in keeping the cardholder data secure if they accept payment cards.
Using fobs or cards to control access to IT areas is considered good practice, but will not prevent data breaches if the network can be hacked from outside the building using an unsecured wireless network.
Routers and firewalls come with a predefined password to allow them to be configured. Failing to change the settings to something more complex and secure will leave the whole network vulnerable to outside threats.
All POS equipment should be secured and checked for malware regularly. If there is no need to store data on checkout computers, this feature should be removed.
Data must only be stored when absolutely necessary and only for as long as is required.