By Michael Levin, CEO, Center for Information Security Awareness – CFISA
Every business and consumer should be concerned about the security of their credit card data. PCI DSS stands for the Payment Card Industry – Data Security Standard. It sets policies and procedures for businesses of all sizes to help implement security best practices in the handling, transmitting, processing and storing of customer credit card information.
When you think of credit card security best practices, do you think about how you expect a business to protect your credit card information when you make a purchase?
- Would you want a business throwing your printed full credit card receipt information into a dumpster?
- Would you be happy if a business emailed or transmitted your credit card number over the internet unencrypted?
- Would it be OK with you if employees left your credit card information on their desk in plain view while they went to lunch?
- How would you feel if your credit card information was stored on a laptop and the laptop was stolen from a parked vehicle?
- Would you be angry if your credit card information was stolen because a business was careless with security of your credit card data?
PCI DSS was created to address these issues and create security best practices for the credit card industry including all businesses that accept credit cards.
PCI DSS Security Awareness Training is a Required Best Practice
One of the important requirements of PCI DSS compliance involves the PCI security awareness training of employees upon hire and annually. This training must be conducted yearly and can be completed in conjunction with the signing of the acceptable use policy statement.
The acceptable use policy statement describes the policies and procedures employees are required to follow when using company computers and resources.
If you accept, manage, or transmit credit cards and the personal information contained in the card, you need to train your employees upon hire and annually to be PCI DSS compliant.
Employees are on the front line to protect the credit card information and their understanding of the rules and vigilance is imperative. Training all employees on the rules of PCI DSS compliance should be one of the first steps required when starting this process.
Important PCI DSS Training Topics
Whether your employees work at the front desk with customers or in a back office, they are equally responsible to follow the PCI DSS rules.
Employees need to be aware that if they see a problem with the way credit card data is being handled that they report this to their manager as soon as possible. This is an important piece of the PCI DSS security awareness training requirement.
Here are some of the most important topics that must be included in PCI DSS Training:
- All employees must insure that any third-party vendors including repair staff are legitimate and authorised to be onsite.
- Employees must always verify that any vendor to access areas where credit card data is stored is approved and are authorised.
- Criminals will also try to pose as authorised maintenance personnel in order to gain access to point of sale devices.
- All third parties that request access to any computer or point of sale device must be verified before being provided access.
- There are clear policies that insure that credit cards are only processed on devices or computers designated for this purpose and that customer pins or account data is never stored on any device.
- Any computer used for the processing of credit cards can only be used for this purpose.
- No employee or maintenance staff is ever authorised to unplug or remove the point of sale device and the disabling of anti-virus software on any work computer is not allowed.
The education of all employees on PCI DSS rules is now a required best practice for all organisations that process credit cards. It is imperative that employees always treat customer credit card information, as they would want their own information to be protected.
About Michael Levin
Michael Levin is a nationally known cyber security professional who spent over twenty-two years in the U.S. Secret Service protecting Presidents and Heads of State. Michael retired from the U.S. Department of Homeland Security – as the Deputy Director of the National Cyber Security Division in Washington DC. He enjoyed a distinguished thirty-year career in public service and law enforcement.
Michael also served as the Branch Chief of the U.S. Secret Service Electronic Crimes Task Force program in Washington DC, supervising 17 task forces across the country. He worked in the area of computer forensics and cyber-crime investigations for over twenty years.
Other assignments included numerous Presidential, Vice Presidential and dignitary protective assignments as well as working at the CIA and NSA as the Secret Service Intelligence Liaison Officer.
After this distinguished career and seeing the need, Michael founded the Center for Information Security Awareness – https://www.cfisa.com/
The CFISA was created to explore ways to increase cyber security awareness among many audiences, including consumers, employees, businesses and law enforcement. CFISA provides online and on-site cyber security awareness training services to businesses and organisations of all sizes.