Updated: Apr 25, 2021
If your company accepts payment cards, Payment Card Industry or “PCI” security requires you to protect cardholder information and confidential authentication data wherever it is processed, stored, or transmitted. But achieving PCI compliance can be challenging. And a lack of PCI security training is often reflected in reports of credit card data breaches, often by well-known and retailers, hospitality providers, healthcare organizations, financial services companies, and other establishments.
What is PCI Compliance?
PCI compliance refers to a set of standards designed to ensure that the credit card industry is properly and uniformly protecting customer data throughout the industry. The PCI Security Standards Council was established by a group of the major credit card providers, in 2006, in an effort to regulate the industry and manage security standards. PCI compliance applies to any organization that accepts credit cards. If your company processes, transmits, or stores credit card information, you must be PCI compliant. If a data breach occurs, lack of PCI compliance could result in significant penalties for your organization. But achieving PCI compliance can decrease this liability.
The Fours Levels of PCI Compliance
A breach at a small business has far less potential for damage than a breach at a very large retailer. Given the disparity in the size of the datasets that might be compromised, there are four levels of PCI compliance that an organization can fall into.
Level 1: Merchants processing 6 million+ transactions per year across all channels or any merchant that has had a data breach. Credit card companies can also choose to upgrade a merchant to Level 1, if they choose.
Level 2: Merchants processing between 1miilion - 6 million transactions per year across all channels.
Level 3: Merchants processing between 20,000 and 1 million eCommerce transactions per year.
Level 4: Merchants processing fewer than 20,000 eCommerce transactions per year or any merchant processing up to 1 million regular transactions per year.
As you can see, the more transactions you process, the higher the level your company falls into. But it is also important to understand that eCommerce merchants can go directly from Level 4 to Level 2, (bypassing Level 3) depending on the growth of the business and the number of transactions processed.
How to Become PCI Compliant
When your business is ready to become PCI compliant, there are a number of steps you will need to take:
Examine Your Current Compliance Level
Your first step toward achieving compliance is to analyze where you currently status. There are varying security standards that are driven by how you process customer transactions, how you manage data, wich credit card companies and banks you do business with, and the level of volume you process. Start by analyzing where your company fits, and how your business is described in PCI’s general standards. This will prepare you for the steps that follow.
Complete the Self-Assessment Questionnaire
The self-assessment questionnaire (SAQ) is a guidebook that helps you assess your current compliance level. There are nine different versions of the SAQ guidebook, each designed for different types of businesses. When you find the right book for your business, it will walk you through the different requirements, and help you identify any missing pieces of payment security for your company.
Make the Required Changes
Once you find the areas where your business falls short you can incorporate the necessary security improvements for your business. Once completed, you can take the SAQ again.
Choose a Provider that Utilizes Data Tokenization
Data tokenization is technology that secures sensitive customers credit card information in a secure, web-based portal, rather than your on-premise servers. This system better protects your customer data while reducing your company’s liability in the event of a data breach.
Complete an Attestation of Compliance
You are now ready to fill out a attestation of compliance (AOC). This is a process to formally claim your business is fully compliant with all relevant PCI standards that are applicable to your business. Following this, you can have a qualified assessor examine your work and produce a report on your compliance to validate your work.
File the Paperwork
Once all the steps are completed, you can file the paperwork with your credit card companies and/or banks. You must submit your SAQ, your AOC, and any other documents these organizations may require.
eLearning for PCI Awareness Training
PCI Awareness training is recommended for any organization that must comply with PCI security standards. By creating employee awareness of security, organizations can enhance their security position and reduce the risk of compromising cardholder data.
Some of the benefits of PCI awareness training include:
Developing and adhering to best practices
Controlling your overall costs
Gaining an understanding of PCI compliance before you going through an assessment
Applying PCI security principles across your business operations
Earning continuing education credits
While most of the PCI requirements address security from a technological perspective, there is a requirement (Requirement 12.6) that addresses PCI from a training aspect. This requirement states that organizations must, “implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.” This requirement creates a clear expectation that organizations will mandate PCI training at least once per year. It also states that employees will acknowledge in writing that they have read and understand the organization’s payment security policy.
LMS Portals for PCI Compliance Certification and Training
LMS Portals provides a cloud-based platform for employee training through a branded eLearning portal. Using our platform, you can quickly and easily and cost-effectively deliver PCI training to your employees in order to minimize the risk of data breaches and achieve PCI compliance.
Contact us to discuss a customized PCI Compliance and Awareness
eLearning Course for your organization.