Most discussions related to PCI compliance tend to focus on the technology aspects of protecting customer’s personal and financial data. However, there is another aspect of compliance that is just as — if not even more — important: Employee training.
Inevitably, if you accept payments from customers, your employees are going to have access to data, and as such, they have a responsibility to protect it. Not only that, but your employees are often the first line of defense against fraud, so it’s absolutely vital that you thoroughly train them in how to appropriately handle cardholder data and avoid leaving your business open to fraud, data breaches, and significant loss.
Unfortunately, studies show that as many as 34 percent of businesses have not adequately trained their employees in these important tasks. Even more alarming is that these same companies are also targeted by an average of several dozen social engineering attacks each year, meaning that their chances of falling prey to a criminal and revealing sensitive data are exponentially higher than companies that have provided the required training. The bottom line? Employee training is crucial to keeping your business safe from data thieves.
The Rules About Employee Training
Employee training requirements for PCI compliance fall under requirement number 12 in the PCI Security Standards: “Maintain a policy that addresses information security for employees and contractors.” However, while this general requirement is rather vague, the more detailed standards break the policy requirement down into three specific pieces:
- Documentation. Documentation, as it relates to employee training, refers to everything from policies about passwords and access controls to the details about specific training sessions, including who conducted the training, when, and what was included in the training session. Additional information that needs to be documented are standards, protocols, and procedures related to the handling of customer data.
- Security Awareness Training. The PCI Security Standards specifically state that businesses must “Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.” This includes training in how to identify social engineering attacks, how to identifying “skimming” or other unauthorized devices on POS terminals, and general awareness of the proper management of cardholder data and the potential threats the business faces. This training should also cover appropriate procedures for responding to suspicious activity.
- Regular Updates to Training. Finally, the PCI standards call for businesses to continually update and reiterate security training for employees. Should your business be subject to an audit, one of the things that auditors will be checking for is ongoing, up-to-date security training for all employees, including new employees during orientation. PCI security training cannot be done once and considered “handled.” It needs to be constant, and adjusted to reflect new and emerging threats.
Implementing a Training Program
The PCI Security Standard outline many of the requirements of how to train employees, and how to document them. However, at minimum, you should train your employees in the following:
- What to look for on credit cards, and some of the common signs of a fraudulent card.
- How to compare signatures, and the need to request further documentation or decline a card if it is not signed.
- How to properly handle information provided over the phone, including using only approved forms to record information and collecting CVV numbers.
- The importance of keeping cards within a customer’s line of sight.
- How to respond if a card is declined, and a policy on manually entering card numbers.
- Take care to store credit card receipts in a secure, locked area, and have a procedure for delivering the day’s receipts to the accounting department.
- How to send cardholder data between departments, if necessary, and the importance of avoiding unsecured forms of communication.
- Policies for processing refunds.
- The importance of protecting cardholder data and not sharing it with others.
- Proper password management.
You may have other, more specific, requirements for your business, but starting with these points will ensure that your employees are well-versed in the importance of protecting sensitive data and how to do it. Considering that if a breach occurs, your business will be 100 percent liable for any data that is handled inappropriately, it is well worth the time and effort to develop a comprehensive employee training program for PCI compliance.