Why is staff training necessary for PCI compliance - and how to do it right





Most discussions related to PCI compliance tend to focus on the technical aspects of the protection of customers' personal data and financial. However, there are other aspects of compliance, just as - if not even more - important: staff training.

Inevitably, if you accept payments from customers, your employees will have access to data, and as such they have a responsibility to protect it. Not only that, but the staff's often the first line of defense against fraud, so it's really important that you train them thoroughly in how to deal properly and data on the cardholder's your business, avoid leaving to fraud openness, violations of data, and the loss significantly.

Unfortunately, studies show that as much as 34 percent of businesses are not sufficiently trained in this important responsibility to its employees. Even frightening that there are more alike these were targeted as well, with an average of attacks, social engineering, many people each year, meaning that the chances of falling prey to criminal and display a power of data sensitive, higher than the company that has provided the training required. The bottom line? Employee training is important to keep your business data safe from thieves.

Employee training measures

Demand for trained personnel for fall under the requirements under PCI has 12 security standards PCI was: ". Policy that addresses information security for employees and contractors, one said: 'However, while the demand is not clearer, standards, more detailed break requires policies down to pieces certain number three:

Documents. Document as it relates to the training of staff, referring to everything from policy passwords and controls on access to the details of the session training specific, including those who worked hard, when, and what is included in the course training this. Additional information is documented as standard protocols and procedures related to the management of customer data.
Security Awareness Training. PCI security standards specified in particular that businesses must "implement programs to raise awareness of security official to make all employees aware of the importance of cardholder data security." This includes training in how to identify attacks as social engineering, how to identify the "skim" or unauthorized devices on the POS, and general awareness of management to correct the data of the holder and the threat potential business has faced. This training should cover the appropriate procedures for responding to suspicious activity.
Updates to regular training. Finally, the PCI standard calls for businesses to continue to update and reiterate security training for employees. Your business should be subject to an audit, one of the things that will be examined auditors for ongoing security training date for all staff, including new employees during orientation. Training security PCI can not be repeated and considered "solved". It needs to be fixed and adjusted to reflect the new and emerging threats.
Training program

Safety standards, PCI has many of the requirements of how to train their staff and how to document. However, at a minimum, you should train your staff as follows:

What to look for on a credit card and some of the common signs of a fake card.
How to compare the signatures and the need to request additional documents or decline a card if it is not signed.
How to handle the service on the phone, including the use of approved forms to record information and collect the correct CVV number.
The importance of keeping the cards in the customer's line of sight.
How to respond if a card was dropped and Policy enters the card number manually.
Attention to save the invoice credit card in a secure, locked area and there is a procedure for the provision of a bill today to the Department of Accounting.
How to send data between the cardholder's department, if necessary, and the importance of avoiding unsafe forms of communication.
Policies for processing payments.
The importance of the protection of cardholder data and did not share it with others.
Password management.
You may have other more specific requirements for your business, but start with these points will ensure that your employees are more knowledgeable about the importance of protecting sensitive data and how to do it. Considering that if a breach occurs, your business will be 100% responsible for any data that has been handled inappropriately, it is well worth the time and effort to develop a comprehensive staff training program for PCI compliance.


EmoticonEmoticon