PCI DSS Courses

 

PCI DSS Courses

Cyber fraud and online crime are unfortunately continuing to rise significantly year after year. This has led to fresh new challenges to those providing payment cards, such as credit cards and debit cards, to us all. PCI DSS (Payment Card Industry Data Security Standard) was created to address the information security needs of organisations processing payments by transmitting, processing or storing payment card data. As a result of PCI DSS implementation, education of staff working on it has come to the fore, and a number of PCI DSS courses have ben created specifically to meet this new training need.

In particular, information security professionals, often working in roles within the payments industry, need to be kept up to date with all the requirements of the current PCI DSS standards. Whilst these standards were originally created with the aim of reducing cardholder’s data and credit card fraud, PCI DSS is not actually a law. These are compliance standards that are both applied and directly enforced by the payment providers themselves, so basically these standards are policed by the payment providers too. There are fines and other sanctions, including removal and revoking access, for non-compliance.

Students attending courses in PCI DSS will be educated to the level necessary for them to be able to then implement a PCI DSS compliant program within their workplace. The over-arching aim of these standards is to force users into action, increasing information security wherever payments card data is used out in the field.

Training in PCI DSS is available at foundation level, technical and commercial implementation levels, depending on individual students requirements. There are also many real world based training modules offering series of workshops providing practical PCI DSS implementation knowledge to course students. Many of these standards pertain to WLAN configuration, passwords, wireless access, Wireless Intrusion Prevention Systems (WIPS) and activity logging within what are termed CDE’s (Cardholder Data Environments).

 

PCI DSS Classroom training courses

There are courses at many levels relating to PCI DSS form introductory foundation modules up to practical classes in its implementation and monitoring. Each student of information security will have different needs, so they must attend the courses that are best suited to them.

Lets next take a look at some of the course options available in PCI DSS.

1) PCI DSS Foundation level training

Foundation level courses in PCI DSS will provide an introduction to the Payment Card Industry Security Standards (PCI DSS). Practical guidance and real world examples will be taught, providing students with a basic understanding of what this standard is all about.

It should be taught at the latest level of the standard, which at the time of writing is currently PCI DSS v3.2.

1. Foundation level PCI DSS courses should cover the following elements: –
2. What are the objectives and purpose of PCI DSS
3. What are the PCI DSS requirements for the protection of customer data
4. Any related PCI DSS standards
5. How PCI DSS is enforced
6. The different levels of compliance needs for both merchants and service providers
7. An overview of the twelve standard requirements
8. How merchants and providers can report their compliance to the standards.

2) PCI DSS Implementation level training

An implementation level course will provide students with a practical and comprehensive knowledge of all aspects necessary to successfully implement a PCI DSS compliance programme into their organisation. Successful completion can lead to an industry-recognised PCI DSS Implementation (PCI IM) certification.

1. Major elements covered by courses at this level will include the following:
2. Why PCI DSS?
3. The requirement to protect cardholder data
4. Potential EU GDPR implications
5. An understanding of how payments brand enforce PCI DSS compliance
6. The different level of compliance of merchants and service providers
7. How to comprehensively report PCI DSS compliance
8. The twelve standard PCI DSS requirements
9. Scoping and applying PCI DSS
10. The technical implementation of the PCI DSS requirements at your organisation
11. PCI DSS compliance documentation including the charter, operational security policy statement, firewall and router policy, system configuration policy, inventory and ownership, data retention and disposal policy, cryptographic key management, cardholder data policy statement, anti-malware policy.
12. The use of IT Governance tools such as gap analysis tools, integration with ISO 27001 information security management system, roles and responsibilities

3) PCI DSS Self Assessment Questionnaires (SAQ) training

For those implementing PCI DSS compliance within their enterprise, SAQ (Self-Assessment Questionnaires) must be completed. This may sound like a simple form-filling exercise but it is not! Training in this usually takes place in short workshops on the subject. The original SAQ had 13 questions, for v3.0 versions of PCI DSS onwards; there are 139 probing questions that must be accurately answered to ensure full compliance! Furthermore, larger merchants with more than one payment system will need to submit more than one SAQ to satisfy new requirements, such as penetration testing.

In short, the following course content should be covered:

1. Additional compliance requirements of PCI DSS v3 onwards
2. The different types of SAQ’s
3. New SAQ validation types including A-EP, B-IP and D-SP
4. The applicability of different SAQ types to various payment processing scenarios such as E-Commerce, MOTO (Mail or Telephone Order) and Face-to-Face orders.
5. A Question and Answer session regarding PCI DSS and its implications for you!