Payment Card Industry Data Security Standard (PCI-DSS)

Transcription

1 Payment Card Industry Data Security Standard () Training Standard 16 th September 2015 University of Leeds 2015 The intellectual property contained within this publication is the property of the University of Leeds. This publication (including its text and illustrations) is protected by copyright. Any unauthorised projection, editing, copying, reselling, rental or distribution of the whole or part of this publication in whatever form (including electronic and magnetic forms) is prohibited. [Any breach of this prohibition may render you liable to both civil proceedings and criminal penalties].

2 Training Standard Document Ownership and Management Standard Authors Kevin Darley and Dave Neild ( Internal Security Assessors [ISA]) Standard Owner John Grannan, IT Head of Service Management The audience of this document should be aware that a physical copy may not be the latest version. Those to whom this Standard applies are responsible for familiarising themselves periodically with the latest version and for complying with these requirements at all times. Version Number Date Circulation Changes th September and DSSCompliance/default.aspx First formal issue, signed off by Design Authority on 25 th August 2015 For information in alternative formats (for example, in Braille or large print), please k.j.darley@leeds.ac.uk or call on telephone number Training Standard Version Page 2 of 6

3 Training Standard 1 Introduction This document is one of a number of documents 1 which support the University s Payment Card Industry Data Security Standard () Security Policy. It delivers the training criteria for those working within University s cardholder data environment (CDE) 2 and it is intended to be read in conjunction with the other applicable University Standards. This document will be reviewed annually, as a minimum, in accordance with the. Specific audits will be carried out against each requirement and evidence will be recorded to demonstrate the University s compliance status. Those to whom this Standard applies must also familiarise themselves with the requirements of the University s Security Policy ( Protection of Point of Sale Equipment 9.3 Training materials at point of sale locations shall be used by staff to verify engineering visits to PEDs and tills and replacement of components and to be aware of and report any suspicious behaviour or suspected tampering of components in accordance with the Operational Security Standard. PEDs and Tills All Point of Sales Processing Staff 2.2 Awareness 12.6 A formal awareness programme shall be deployed to ensure that all staff associated with the CDE understand the importance of cardholder data security and are aware of the University s Security Policy and Security Standards that are relevant to their role. 1 Additional Standards include; Management Standard, Finance Procedures Processing of Credit and Debit Card Payments, Systems Security Standard, Training Standard and Incident Management Standard. 2 This includes PIN (Personal Identification Number) Entry Devices (PEDs), Tills, Virtual Terminals (VTs), Payment Gateway Web Servers, Network Equipment, File Servers and Desktop Machines Training Standard Version Page 3 of 6

4 Training Standard 3 Additional s The following requirements are in addition to SAQ-C compliance criteria. 3.1 Protection of Point of Sale Equipment Specific training regarding the visual inspection of PCs will be given to those supervising VT operations. VTs Alumni Office and Student Finance 3.2 Training Frequency Staff associated with the CDE will be trained in the requirements of pertinent to their role prior to commencing work, and annually thereafter. 3.3 Training Programme All new CDE users will have PCI training as part of their induction All payment channel business owners and will have annual PCI training All CDE users will have annual PCI training All CDE users will be given appropriate guidance for use of their CDE technology Staff associated with CDE will undertake annual Information Security Awareness training The training programme will be reviewed annually to ensure it remains appropriate in accordance with the Training Standard Version Page 4 of 6

5 Training Standard 3.4 Training Records Staff are required to sign a training record annually to confirm that they have received training. Line management are required to maintain records of this training on the SharePoint site ( in accordance with the Management Standard and are to arrange with their respective HR team for staff training records within SAP to be updated accordingly. 3.5 Incident Response Training N/A The Incident Investigations Team shall receive annual training on: Initial incident response within the CDE Electronic evidence preservation Incident response best practices Legal implications of an incident Incident Investigations Team Training Standard Version Page 5 of 6

6 Training Standard This page is intentionally left blank Training Standard Version Page 6 of 6