If your company accepts credit or debit card transactions, you’re likely familiar with the Payment Card Industry Data Security Standard (PCI-DSS). But how confident are you that your employees understand their role in keeping sensitive cardholder data secure? 

With 70% of consumers preferring to pay with credit and debit cards over cash when making purchases, it’s the responsibility of businesses accepting this convenient form of customer payment to comply with rules protecting cardholder data. Annually training your employees on how to properly accept, transmit and store card transactions protects your business against fraud and data breaches, penalties and reputational harm. 

What Is PCI-DSS? 

PCI-DSS is a set of security standards designed to protect cardholder data, maintain the trust of your customers and the integrity of your brand. Enacted in 2024, the standards are set by major credit card companies, including Visa, MasterCard, JCB, American Express and Discover. 

Any business that processes, stores or transmits credit card information must adhere to this standard, no matter the volume of transactions, the channel used to take card information (in-person, on the phone or online) or the size of the business.  

In addition to setting payment security requirements for businesses, PCI-DSS requires merchants to “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security” as well as educating personnel “upon hire and at least annually.”  

“When a customer hands over a payment card to a business to make a purchase, it becomes the merchant’s responsibility to ensure the customer’s cardholder data will not be compromised,” said John Brushwood, Compliance Counsel at Traliant. “When merchants fail to keep up with PCI-DSS obligations and training, it increases the risk of credit card fraud and data breaches.” 

Why PCI training for employees is important 

Every employee who handles credit card transactions plays a role in safeguarding PCI-DSS data. But without proper training, how can they recognize risks or follow best practices? 

This is where PCI training comes in. It educates all personnel about their roles and responsibilities in maintaining PCI DSS compliance and emphasizes the importance of vigilance and adherence to established security protocols.  

So, what should PCI training for employees include? Here are some essentials: 

  • Data handling: Employees must understand how to securely handle cardholder data, such as encryption and secure storage. 
  • Recognizing threats: Training should teach employees how to identify potential security threats like phishing emails or suspicious requests for cardholder information. 
  • Incident reporting: Employees need to know how to report suspicious activities immediately, preventing small issues from becoming major security breaches. 
  • Best practices: Reinforcing everyday practices like password management, secure device usage and avoiding sharing sensitive information over insecure channels. 

Risks of non-compliance 

A 2021 Verizon Payment Security Report found that 72% of companies failed to comply with PCI-DSS year-round. Businesses that fail to implement and adhere the proper PCI security measures and protocols not only risk exposing their customers to threats but can also face their own share of repercussions, including fines, transaction fees, and potentially, the revocation of card processing privileges for merchants. 

Payment processors and credit card companies charge PCI non-compliance fines to make up for the potential losses caused by merchants’ lack of payment security. If non-compliant, a business can face fines of $5,000 to $100,000 per month or be stripped of payment processing services. Further, businesses liable for any fraud that takes place must compensate customers for losses, as well as the cost of credit monitoring fees, identity theft insurance and card replacement.  

4 reasons merchants should complete PCI-DSS training 

For HR and legal compliance professionals, PCI-DSS training is an investment in your organization’s security culture. Here are four reasons why merchants should ensure employees complete annual PCI-DSS training: 

  1. Annual PCI-DSS training is mandatory  
    Awareness training is a business’ best defense against credit card fraudsters and network hackers by ensuring employees remain vigilant in safeguarding cardholder information. PCI training for employees with access to card data promotes a security-conscious culture that complies with safety protocols and reinforces best practices in securely handling cardholder information and detecting and reporting suspected fraudulent activities and data breaches. 
  1. PCI compliance protects merchants 
    Credit card fraud is a multi-billion dollar crime. Ensuring merchants handle cardholder data securely helps to defend against card fraud and network attacks by hackers looking to steal cardholder data. It also boosts brand reputation by demonstrating that your business puts customer safety first. 
  1. PCI compliance protects customers 
    Having their credit card information stolen by computer hackers remains a top worry of consumers. Protecting cardholder payment information builds a trusted merchant-customer relationship that keeps customers coming back. 
  1. PCI non-compliance is costly 
    If non-compliant, a business can face costly fines and be stripped of payment processing services. Further, businesses liable for any fraud that takes place will have to compensate customers for losses, as well as the cost of credit monitoring fees, identity theft insurance and card replacement. Additionally, non-compliance can damage community standing and lead to potential lawsuits. 

By investing in comprehensive PCI training for employees, you help secure your business against data breaches and make compliance a seamless part of your workplace culture. 

With the right tools and resources, your HR and legal teams can ensure that every employee is confident in their ability to safeguard cardholder data—protecting your company’s reputation and bottom line. 

    Get Access to a Full Course