🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
Compliance Coming Soon

CT PCI DSS Compliance

The PCI-DSS Compliance Training teaches employees the core standards for protecting cardholder data, including network configuration, vulnerability management, and access controls, so they can safely handle payments and avoid costly breaches.

Who Should Take This

Front‑line staff, customer service agents, and any employee who processes, stores, or transmits payment card information benefit from this course. It targets individuals with basic technical familiarity who need practical guidance on PCI‑DSS requirements, risky behaviors, and reporting procedures. Learners finish able to apply secure handling practices in daily tasks.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 PCI-DSS Foundations and Scope
3 topics

PCI-DSS overview and purpose

  • Identify the purpose of the Payment Card Industry Data Security Standard and the role of the PCI Security Standards Council in setting and maintaining these requirements.
  • Describe the six control objectives and 12 high-level requirements of PCI-DSS and explain how they work together to protect cardholder data throughout its lifecycle.
  • Identify which organizations must comply with PCI-DSS including merchants, service providers, and any entity that stores, processes, or transmits cardholder data.

Cardholder data and scope definitions

  • Recognize the elements of cardholder data (primary account number, cardholder name, expiration date, service code) and sensitive authentication data (CVV/CVC, PIN, full magnetic stripe data).
  • Explain why sensitive authentication data must never be stored after authorization even if encrypted and describe the difference between cardholder data and sensitive authentication data retention rules.
  • Describe the cardholder data environment (CDE) concept and explain how identifying all systems, people, and processes that touch cardholder data determines PCI-DSS scope.
  • Analyze a business process to identify where cardholder data enters, flows through, and exits the environment and determine which systems fall within PCI-DSS scope.

Compliance validation and reporting

  • Identify the four merchant compliance levels based on annual transaction volume and the corresponding validation requirements for each level.
  • Describe the different Self-Assessment Questionnaire (SAQ) types including SAQ A, SAQ A-EP, SAQ B, SAQ C, SAQ D and explain which applies based on payment channel and processing method.
  • Describe the roles of Qualified Security Assessors (QSAs), Internal Security Assessors (ISAs), and Approved Scanning Vendors (ASVs) in the PCI-DSS compliance validation process.
2 Secure Network and System Configuration
3 topics

Firewalls and network segmentation

  • Identify the purpose of firewalls and routers in restricting traffic between untrusted networks and the cardholder data environment as required by PCI-DSS Requirement 1.
  • Describe how network segmentation reduces PCI-DSS scope by isolating the CDE from non-payment systems and explain the verification requirements for segmentation controls.
  • Analyze a network diagram to evaluate whether segmentation effectively isolates the CDE and identify potential scope expansion through improperly connected systems.

Secure system defaults and hardening

  • Recognize the risks of using vendor-supplied default passwords, settings, and unnecessary services on systems within the CDE as addressed by Requirement 2.
  • Describe system hardening practices including removing unnecessary services, changing default credentials, and applying security configuration standards to CDE components.

Wireless network security

  • Identify PCI-DSS requirements for wireless networks within the CDE including disabling WEP, using strong encryption (WPA2/WPA3), and changing default wireless settings.
  • Describe the requirement to detect and identify authorized and unauthorized wireless access points through quarterly wireless scanning or continuous wireless IDS/IPS monitoring.
  • Recognize the risks of rogue wireless access points in retail environments and describe employee responsibilities for reporting unfamiliar network devices.
3 Protecting Cardholder Data
3 topics

Data storage and retention

  • Identify PCI-DSS Requirement 3 data storage restrictions including what cardholder data may be stored, masking requirements for PAN display, and rendering stored PAN unreadable.
  • Describe methods for rendering stored PAN unreadable including one-way hashing, truncation, index tokens with securely stored pads, and strong cryptography with key management.
  • Explain data retention and disposal policies requiring organizations to limit cardholder data storage to what is needed for business and to securely delete data when no longer required.

Encryption and transmission security

  • Identify PCI-DSS Requirement 4 encryption requirements for transmitting cardholder data over open, public networks using strong cryptography protocols.
  • Recognize that sending unencrypted PAN via end-user messaging technologies such as email, instant messaging, SMS, or chat is prohibited under PCI-DSS.
  • Analyze a data flow scenario to identify points where cardholder data transmission lacks adequate encryption and recommend corrective controls.

Tokenization and scope reduction

  • Describe how tokenization replaces cardholder data with non-sensitive tokens that cannot be reversed to the original PAN, reducing PCI-DSS scope for systems handling tokens.
  • Explain how point-to-point encryption (P2PE) and validated P2PE solutions reduce scope by encrypting cardholder data from the point of interaction to the secure decryption environment.
  • Analyze a payment processing architecture to identify scope reduction opportunities through tokenization, P2PE, and outsourcing to PCI-compliant service providers.
4 Vulnerability Management and Security Testing
3 topics

Anti-malware and vulnerability management

  • Identify PCI-DSS Requirement 5 obligations to deploy and maintain anti-malware software on all systems commonly affected by malicious software within the CDE.
  • Describe PCI-DSS Requirement 6 obligations including developing secure applications, patching known vulnerabilities promptly, and addressing common coding vulnerabilities.

Monitoring and testing

  • Describe PCI-DSS Requirements 10 and 11 for tracking and monitoring all access to network resources and cardholder data through logging, log review, and audit trails.
  • Identify the requirement for regular security testing including quarterly network vulnerability scans by an ASV and annual penetration testing of the CDE.
  • Explain the purpose of file integrity monitoring (FIM) for detecting unauthorized changes to critical system files, configuration files, and content files within the CDE.

Security awareness and social engineering

  • Recognize common social engineering attacks targeting payment card environments including phishing emails impersonating payment processors, pretexting calls requesting card data, and baiting attacks.
  • Describe secure password practices for systems within the CDE including minimum length requirements, complexity rules, password expiration, and prohibition on sharing credentials.
  • Identify the employee's responsibility to report suspected social engineering attempts, phishing emails, and unauthorized requests for cardholder data to the security team.
5 Access Control and Authentication
4 topics

Need-to-know access restrictions

  • Identify PCI-DSS Requirement 7 principles restricting access to cardholder data to only those individuals whose job requires it based on the need-to-know principle.
  • Describe role-based access control systems that limit cardholder data access to the minimum privileges needed for each job function within the organization.
  • Analyze access control configurations to identify excessive privileges, shared accounts, and unnecessary access to cardholder data that violate the need-to-know principle.

Authentication and user identification

  • Identify PCI-DSS Requirement 8 obligations for assigning unique IDs to each person with computer access and implementing strong authentication mechanisms.
  • Describe multi-factor authentication requirements for administrative access to the CDE and remote access from outside the network.
  • Explain password and authentication policies including minimum length, complexity, rotation, lockout thresholds, and prohibition of shared or generic accounts.

Physical access controls

  • Identify PCI-DSS Requirement 9 physical security controls including facility access restrictions, visitor management, media protection, and POS terminal inspection.
  • Describe procedures for physically securing POS terminals including tamper detection, serial number tracking, periodic inspection, and employee training on recognizing tampering.
  • Explain media handling requirements including secure storage, controlled distribution, destruction of media containing cardholder data, and maintaining a media inventory.

E-commerce and remote payment security

  • Identify security requirements for e-commerce payment pages including TLS encryption, trusted certificate authorities, and protection against web-based attacks on payment forms.
  • Describe the risks of payment page scripts including formjacking, Magecart-style attacks, and the Requirement 6 obligation to monitor and control scripts on payment pages.
  • Explain the PCI-DSS requirements for securing remote access to the CDE including VPN with multi-factor authentication and automatic session timeout controls.
  • Analyze a web payment implementation to identify security gaps in cardholder data capture, transmission, and storage that could expose the organization to PCI-DSS non-compliance.
6 Employee Responsibilities and Practical Scenarios
4 topics

Handling cardholder data in daily operations

  • Recognize prohibited behaviors including writing down full card numbers, photographing payment cards, storing CVV codes, and reading card numbers aloud in public areas.
  • Describe proper procedures for taking card-not-present payments over the phone including never recording calls containing full PAN and securely handling written notes.
  • Identify secure procedures for processing refunds, chargebacks, and recurring payments without exposing stored cardholder data to unauthorized personnel.

Skimming and terminal security awareness

  • Recognize common card skimming techniques including overlay devices on POS terminals, ATM skimmers, shimming for chip cards, and hidden cameras capturing PIN entry.
  • Describe daily POS terminal inspection procedures including checking for loose components, unauthorized attachments, broken seals, and comparing devices against reference photos.
  • Identify social engineering tactics used to facilitate skimming including impersonating technicians, requesting terminal replacement, and creating diversions during device installation.
  • Analyze a terminal tampering scenario to determine the appropriate immediate response including isolating the device, preserving evidence, and escalating to management and security.

Incident response and reporting

  • Identify PCI-DSS Requirement 12 obligations for maintaining an information security policy and incident response plan addressing cardholder data compromises.
  • Describe the steps an employee should follow when suspecting a cardholder data compromise including containment, notification of the incident response team, and evidence preservation.
  • Explain the requirement for annual security awareness training and describe employee responsibilities for acknowledging and following the organization's security policy.
  • Synthesize a response plan for a suspected cardholder data breach incorporating containment procedures, notification requirements to card brands and acquirers, and forensic investigation initiation.

Consequences of non-compliance

  • Identify the consequences of PCI-DSS non-compliance including fines from card brands ($5,000-$100,000 per month), increased transaction fees, and potential loss of card processing privileges.
  • Describe the reputational and financial impact of a cardholder data breach including customer notification costs, fraud liability, legal expenses, and loss of customer trust.
  • Analyze breach case studies to identify which PCI-DSS requirement failures contributed to the compromise and evaluate what controls could have prevented the incident.

Scope

Included Topics

  • Payment Card Industry Data Security Standard (PCI-DSS) compliance training for employees who handle, process, store, or transmit cardholder data in retail, e-commerce, financial services, and hospitality environments.
  • Overview of the 12 PCI-DSS requirements organized across six control objectives: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.
  • Cardholder data environment (CDE) scope, cardholder data definitions (PAN, cardholder name, expiration date, service code), sensitive authentication data (CVV, PIN, magnetic stripe), and scope reduction strategies.
  • Employee-facing obligations for handling payment card data including never writing down full card numbers, never sending PAN via email or messaging, POS terminal security awareness, and skimmer detection.
  • Network segmentation principles, encryption requirements for data in transit and at rest, access control on a need-to-know basis, and strong authentication requirements.
  • Self-Assessment Questionnaire (SAQ) types, compliance validation levels, qualified security assessors (QSAs), and the annual compliance reporting cycle.
  • Incident response requirements for suspected cardholder data compromises, reporting procedures, and evidence preservation.

Not Covered

  • Detailed technical implementation of specific encryption algorithms, firewall rule syntax, or intrusion detection system tuning beyond awareness level.
  • Payment gateway integration programming, tokenization system architecture, or point-to-point encryption (P2PE) technical specifications.
  • PCI PIN Security requirements, PCI 3DS, PCI Card Production, and other specialized PCI standards beyond PCI-DSS.
  • Acquiring bank relationships, interchange fee structures, card brand dispute resolution, and chargeback management processes.
  • Forensic investigation methodologies for payment card breaches conducted by PCI Forensic Investigators (PFIs).

CT PCI DSS Compliance is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified