PCI DSS Compliance Training Course

The Payment Card Industry Data Security Standard (PCI DSS) is the information security standard for organisations that process credit card payments.

These standards apply to any company with a Merchant ID that processes, stores or transmits data. PCI DSS can act as a tool for implementing technical measures for the General Data Protection Regulation (GDPR) compliance.

Our Safeguarding Personal Data with PCI DSS Course will help your employees to understand why it is important, the 12 key requirements for compliance and how to identify, resolve and prevent risks.

Request a Free Trial

Chevron Skillcast chevron graphic
PCI DSS Compliance Training Course

About this Course

Available as part of our Compliance Essentials and GDPR Library.

Learning objectives

This course will prepare your employees to:

  • Raise your awareness of PCI Data Security Standard (DSS)
  • Appreciate why it is important
  • Recognise the key requirements
  • Identify what action you need to take to ensure PCI compliance

Latest course updates

Full design review conducted by a PCI DSS expert.

  • Text & image updates throughout the course
  • New pages, activities & scenarios
  • Penetration testing procedures aligned with current legislation
  • Updated scenarios & learning activities
  • New 30-question post-course assessment

Course Outline

Introduction

PCI DSS basics

- The PCI ecosystem

Why is PCI DSS important?

- Examples: Information security breaches
- Consequences of non-compliance
- You decide: Do you know?
- You decide: Fact or fiction?

How PCI DSS works

- PCI DSS merchant levels
- You decide: Merchant levels
- The goals of PCI DSS
- You decide: PCI DSS goals & requirements

Requirement 12: Maintain an information security policy

- You decide: Developing the security policy

Requirement 1: Install & maintain a firewall

- You decide: Rules for firewalls & router configurations

Requirement 2: Don't use defaults for system passwords & other security parameters

- Examples: Malware

Requirement 3: Protect stored cardholder data

- Key features of payment cards
- You decide: Rules for storing payment card data
- You decide: Taking action with payment card data
- Masking the PAN and other payment card data
- When is masking required?
- You decide: Applying the rules

Requirement 4: Encrypting the transmission of cardholder data

- Safeguarding cardholder data with encryption

Maintaining a vulnerability management program

Requirement 5: Use & regularly update anti-virus software

- Taking preventive action against malware
- Scenario: Rajan's systems maintenance

Requirement 6: Develop and maintain secure systems & applications

- You decide: Maintaining secure systems & applications
- You decide: Change control best practice
- Access control measures

Requirement 7: Restrict access to cardholder data by business need to know

- You decide: Access control

Requirement 8: Assign a unique ID to each person with computer access

- You decide: Identifying & authenticating access to cardholder data
- You decide: Passwords
- You decide: Authentication
- Password pitfalls

Requirement 9: Restricting physical access to cardholder data

- You decide: Physical access
- You decide: Procedures for visitors
- You decide: Signs of tampering
- Recap of the key rules
- Monitoring & testing networks

Requirement 10: Track & monitor all access to network resources & cardholder data

Requirement 11: Test security systems & processes

- You decide: Penetration testing

Summary

Affirmation

Assessment

Course Specifications

Structure

Structure

Approximately 60-minute long e-learning course followed by a 10-question assessment.

Audience

Audience

Suitable for all staff - includes examples and interactivities designed for staff at all levels and best practice do's and don'ts for managers. No previous knowledge or experience is required.

Design

Design

SHARD-compliant, responsive display on all devices, accessibility on screen readers, visual design controlled via a client style sheet.

Icon

Microlearning

Supplementary four-minute iExpress interactive video provided to create awareness and interest in this topic.

Compatibility

Compatibility

All Windows, Mac OSX, iOS, Android (Flash-free for mobile compatibility). AICC and SCORM 1.2-compliant, suitable for both hosted and deployed SCORM or AICC.

Tailoring

Tailoring

Fully customisable on Skillcast Portal CMS.

Translation

Translation

Pre-translated versions not available, but all text content can be exported for translation into all languages.

Localisation

Localisation

Based on UK legislation, but suitable for global audiences upon the removal of UK-specific references and translation as necessary.

Access Our Courses on Skillcast Plans

Our compliance training courses are available across Skillcast plans. Our plans cover businesses with small to large teams and offer a mix of tailored and off-the-shelf courses.

We have three plans available; simply choose the one that meets your needs below.

CoreCompliance

Skillcast CoreCompliance provides your own portal pre-loaded with the key compliance courses needed in your sector. It's the most comprehensive and cost-effective compliance training solution on the market for teams of up to 50 staff.

Prices start from £349 for 12 months.

Standard Plan

Skillcast Standard is a flexible plan for building your digital compliance portal. You start with our award-winning Learning Management System and select one or more course libraries to train your staff.

Later, you can add the Policy Hub for policy attestations, DSE self-assessment, Gifts and Hospitality register, and other features to streamline staff compliance.

Premium Plan

Skillcast Premium combines our innovative technology tools and features into one simple solution. The premium plan is designed for companies that want a fully featured, branded and managed portal to transform their staff compliance.

It enables you to create comprehensive user journeys to deliver learning and policies, obtain declarations and submissions, and consolidate data to achieve your compliance outcomes.

More on SMCR

In the United Kingdom, the Senior Managers and Certification Regime (SMCR) is designed to foster accountability among senior managers at financial services companies while elevating ethical and professional standards across the entire workforce.

The SMCR replaced the Approved Persons Regime (APR), which was previously applicable to key individuals in regulated entities. In the realm of insurance companies, this regime effectively superseded the Senior Insurance Managers Regime (SIMR), marking a significant shift in how financial services firms manage and hold their senior personnel accountable.

There are three key parts to the SMCR: Senior Managers Regime, Certified Persons Regime and Conduct Rules.

  • Senior Managers Regime
    This enforces a detailed and clear allocation of responsibilities between senior managers at each firm, with particular emphasis placed on key documents - 'Statements of Responsibilities' and 'Responsibilities Maps'. These help to record the distribution of responsibility to individual Senior Managers and to demonstrate to the regulators that there are no gaps or excessive overlaps. Always bear in mind that Senior Managers have a statutory duty of responsibility "to take reasonable steps to prevent regulatory breaches in the areas of the firm for which they are responsible".
  • Certification Regime
    This requires firms to check and confirm that employees performing roles relating to the firm's regulated activities are fit and proper, based on their qualifications, competence and personal characteristics. Once this has been confirmed, the firm needs to issue them with a certificate that must be renewed every year.
  • Conduct Rules
    This consists of a set of rules provided in the FCA's Code of Conduct Handbook (COCON) that covers all individuals:Senior Managers, Certified Persons and other employees.

How to comply with SMCR

1. Statement of Responsibilities - Set out the areas for which each Senior Manager is personally accountable
2. Responsibilities Map - This knits together the Statement of Responsibilities
3. Pre-approval for all Senior Managers - obtain this from the regulators before they carry out their roles
4. Duty of Responsibility - Ensure that Senior Managers understand their responsibilities and take reasonable steps to prevent regulatory breaches in their areas of responsibility
5. Identify all Certified Persons - These are all material risk takers
6. Fit and Proper Assessment - Of all Certified Persons, then re-assess on an annual basis
7. Training - Of all those who are subject to the Conduct Rules

SMCR Scope

SMCR rollout waves

The SMCR has been rolled out in three waves:

Wave 1: Banks, building societies, credit unions and large investment firms in March 2016 (updated July 2018)
Wave 2: Extended to insurance firms (those regulated by the FCA and PRA) in December 2018
Wave 3: The remaining financial services firms (otherwise known as 'solo-regulated firms' since they are regulated only by the FCA, not the FCA and PRA) came under the scope of this regime in December 2019.

SMCR categories

The third wave encompasses a wide variety of firms. To ensure that regulation is appropriate to their sizes and activities, the FCA has categorised them into three distinct groups:

Core: Firms that have to comply with the baseline requirements for solo-regulated firms
Limited scope: Firms that already had exemptions under the Approved Persons Regime, and are exempt from some requirements and require fewer senior management functions
Enhanced: Firms that have extra requirements - these are large, complex firms with potential impact on consumers or markets which warrant more attention from the FCA

SMCR & Duty of Responsibility

Senior Managers have a statutory duty of responsibility "to take reasonable steps to prevent regulatory breaches in the areas of the firm for which they are responsible". The FCA can take action against a Senior Manager (SM) where it can show that:

  • There was misconduct by the SM's firm,
  • At the time of the misconduct or during any part of it, the SM was responsible for the management of any of the firm's activities in relation to which the misconduct occurred, and the SM did not take such steps as a person in their position could reasonably have been expected to take to avoid the misconduct occurring or continuing.

The burden of proof for all these elements lies on the FCA. The SM does not need to show that they took reasonable steps - rather, it is for the FCA to prove that they did not. The defence against such action is if the senior manager can show that they took "the steps that are reasonable for a person in that position to take to prevent a regulatory breach from occurring".

Fitness and Propriety

The FCA must approve all senior managers, which assess whether they are fit and proper to perform the given function or responsibility.

Three key factors determine whether you are Fit and Proper:

  1. Honesty, integrity and reputation
  2. Competence and capability
  3. Financial soundness

When assessing a person's financial soundness, the FCA typically does not require a statement of the individual's assets or liabilities. Having limited financial means does not, by itself, impact the suitability of a person to perform a Senior Management Function (SMF).

When appointing a Senior Manager or Certified Person, firms must obtain regulatory references from all of their past employers from the past six years. This requirement also applies to the appointment of Non-Executive Directors (NEDs) who are not Senior Managers.

To meet this requirement, firms must keep records of disciplinary actions and fit and proper assessments for the past six years and avoid any agreements that would conflict with their disclosure obligations.

Want to learn more about SMCR?

This training aid is just one of 100+ free compliance training resources, including assessments, best practice guides, checklists, desk aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!

You can keep up to date with SMCR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, by subscribing to our FCA Compliance Bulletin.

Our SMCR Compliance roadmap will help you navigate the compliance landscape supported by a comprehensive library of SMCR Courses and a fully integrated SMCR 360 Compliance Toolkit to streamline, unify and automate your processes.

Finally, SkillcastConnect provides a unique opportunity to network with other compliance professionals in a vendor-free environment, as well as exclusive benefits, including access to our free online learning portal.

Try our courses for free...

Compliance Essentials Library is our best-selling comprehensive corporate training solution.

100+ e-learning and microlearning courses that help companies from SMEs to multinationals achieve compliance success.

Request a Free Trial

Chevron Skillcast chevron graphic
Compliance Essentials