The Payment Card Industry Data Security Standard (PCI DSS)
Anyone that handles, stores, processes, and transmits credit card and electronic payment data must be trained and comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect cardholder data. It’s a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.
Having a set of eLearning courses on this subject can help prevent the loss or disclosure of customer information including credit card numbers.
PCI DSS Vulnerabilities
Customers and employees need to understand situations in which payment information becomes vulnerable. The list below takes into account just some of the best-case practices. When followed, they just might reduce those implied vulnerabilities.
- Don't allow any payment card information to be written down
- Enter credit and debit card numbers only into PCI-compliant software
- Never write or store CVVs (Credit Card Verification Codes)
- Don't ask for or provide photocopies of payment cards
- Never email or fax card numbers
- Never share IDs or passwords for critical systems
- Require strong passwords for yourself and your employees
- Never connect external USB thumb drives to company-owned computers or systems
- Never leave electronic payment card terminals (EBTs) unattended
In addition to the list above, I like to inspect fuel dispensers at travel centers and convenience stores for any signs of tampering from card skimmers (small, electronic devices that criminals secretly install at payment terminals).
BrandonKleinPhoto/Shutterstock.com
And I support merchants that have migrated their equipment to EMV compliant solutions (An EMV card is a credit or debit card with an embedded microchip designed to enable security.)
nobeastsofierce/shutterstock.com
Microlearning And Social Engineering
Having a plan to deliver eLearning in small doses to your employees is one of the best ways to minimize your organization’s risk of losing your guests' important payment card data (because it’s such a broad subject). And, understanding social engineering will help you protect payment card information and important personal data.
Social engineering, in the context of information security, is psychologically manipulating people into divulging confidential information (like payment card information and other valuable data). Don't fall for it; it tricks users into making security mistakes or giving away sensitive information. A common method is for a computer hacker to pretend to be from an IT department or perhaps a well-known computer company, software provider, or bank.
Because PCI compliance can be daunting, delivering bite-sized courses on several different PCI DSS-related subjects could be key to your success. Therefore, microlearning is necessary for teaching these concepts to your employees. To demonstrate the point, here are just a few subjects about common social engineer attacks:
- Baiting attacks
Using a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or infects their systems with malware. - Scareware
Bombarding victims with false alarms and fictitious threats. Users are led to believe their system is infected with malware, prompting them to install software that has no real benefit. Even worse, they may be prompted to upload a virus or trojan horse software. - Pretexting
When an attacker obtains information through a series of cleverly crafted lies. They often establish trust with their victims by impersonating co-workers, police, bank employees, and tax officials. - Phishing scams
Email and text message campaigns aimed at creating a sense of urgency, curiosity, or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malicious software (malware). - Spear phishing
A targeted version of a phishing scam whereby an attacker chooses specific individuals or entities. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous and more believable.
Knowing When To Outsource Content Development
PCI DSS standards are mandated by card brands but administered by the Payment Card Industry Security Standards Council. PCI DSS compliance is important for all industries and merchants. And even more important to their consumers. If your employees handle payment card transactions, you must stay abreast of PCI regulatory guidelines and then keep your employees informed.
If you author your eLearning on this subject, make sure that your materials are carefully scrutinized by a reputable source (or company) that can verify that you are teaching the correct information. Otherwise, consider getting help with your training from sources with the proper credentials.