PCI compliance training is one of the primary requirements of the Payment Card Industry Data Security Standard (PCI DSS). There are many PCI compliance training resources available from various organizations and companies. Some are quick and simple 15-minute trainings to provide an overview of PCI DSS and reduce insider risk from social engineering attacks like phishing, while others are in-depth courses or learning paths consisting of a series of individual courses.
Choosing the right PCI compliance training resources for your team can be challenging. To help you identify top-quality training resources, we’ve curated this list of some of the best PCI compliance training resources available, such as:
- PCI Security Standards Council
- SANS Security Awareness
- Infosec Train
- The Knowledge Academy
- Teach Privacy
- …and more
In this article:
What are PCI compliance training resources?
PCI compliance training resources include various types of compliance training based on the PCI DSS standards and requirements for the various merchant levels. PCI compliance training resources are designed for different audiences, including:
- Employees: Some PCI compliance training resources are designed for all employees, providing a basic overview and the essential need-to-know information to enable employees to do their part in keeping cardholder data secure.
- Management: Other training resources provide more in-depth information designed to empower managers to implement best practices and ensure their teams are meeting compliance.
- Technical professionals: Other PCI compliance training resources provide more technical information for professionals such as security analysts, systems administrators, and other technical roles.
- Assessor qualification: Some advanced training options are designed to qualify individuals and organizations to perform assessments for other companies.
PCI compliance training programs & courses
@PCISSC
The PCI Security Standards Council offers more than a dozen programs for organizations and individuals who assess and validate PCI DSS compliance for companies and organizations.
Some programs are designed to give candidates a deeper understanding of PCI DSS and how it protects cardholder data. Others provide credentials authorizing the candidate to perform different types of assessments or aid clients or companies in complying with various PCI DSS requirements. For example:
- PCI Awareness Training: This is foundational training for anyone who wants to develop a deeper understanding of PCI DSS security principles, compliance, and general security awareness.
- Internal Security Assessor (ISA)™ Qualification: Candidates learn how to perform internal company assessments, recommend solutions, and remediate compliance issues.
- Qualified Security Assessor (QSA) Qualification: Candidates learn how to perform assessments of entities that must comply with PCI DSS. Those who pass the exam are qualified and authorized to perform assessments and prepare compliance reports.
@ITG_USA
IT Governance USA offers several PCI DSS training programs delivered by experienced practitioners. Courses are available in e-learning or in-house formats, including:
- Staff awareness e-learning: Suitable for all employees who have access to cardholder information, this interactive e-learning course will equip your team with an understanding of PCI DSS requirements. The course meets PCI DSS v3.2.1 requirements and satisfies the requirement to implement a formal security awareness training program (12.6 of PCI DSS v4.0).
- PCI DSS Foundation Training Course: This course was developed by a PCI QSA (Qualified Security Assessor) and is updated for PCI DSS v3.2. A one-day introductory course, it provides a comprehensive overview of PCI DSS fundamentals.
- PCI DSS Implementation Training Course: This is a three-day course that gives candidates a comprehensive understanding of PCI DSS and how to implement a PCI DSS compliance program. Candidates who successfully complete the course and pass the exam earn the PCI DSS Implementation (PCI IM) qualification.
@SANSAwareness
SANS Security Awareness offers role-based PCI DSS compliance training with targeted awareness modules for every role within an organization. Employees start with an introduction to PCI DSS and identify their responsibilities within the company. SANS uses this information to formulate and assign a course relevant to their role. For example:
- PCI DSS for Customer-facing Teams: This module is designed for customer sales and support representatives, cashiers, payment processors, and customer service representatives. It covers the PCI DSS requirements of customer-facing employees in relation to the objectives of the standard.
- PCI DSS for System Administrators: Designed for systems administrators, service and repair specialists, computer systems analysts, and IT administrators, this module reviews PCI DSS requirements related to IT system administrators.
- PCI DSS for Managers: This module is designed for department managers, store managers, vendor managers, and customer experience specialists. It enables professionals in management roles to develop best practices and ensure their teams are protecting cardholder data adequately.
@CFISA_org
The Center for Information Security Awareness offers two levels of PCI DSS training. Designed to help companies comply with the security awareness training requirement of PCI DSS, these courses have a 4-question quiz after each lesson to assess employees’ understanding. Managers can access reports to track employee progress and completion, and employees receive dated certificates upon course completion, which provide dated evidence of training for audit purposes The courses include:
- Level I PCI-DSS Training: Level I training includes 9 lessons that cover safe internet usage basics, strong password practices, recognizing social engineering attacks, and how to protect payment card data and other personal information.
- Level II PCI-DSS Training: Level II training includes 15 lessons covering all the topics in Level I training as well as social media security, today’s cyber threats, how cybercriminals exploit behavior, and the impacts of cybercrime and identity fraud.
@pluralsight
Pluralsight’s PCI DSS Learning Path includes nine courses with a total of 21 hours of learning to give candidates a deep understanding of the PCI standard and the compliance process. It also can be used to prepare for the PCI Professional (PCIP)™ examination. The courses build on prior knowledge to gradually increase from beginner to intermediate to advanced.
A few of the courses in this learning path include:
@cybraryIT
Cybrary’s training library includes three courses related to PCI-DSS and two assessments. The courses are between three and four hours each, one is for beginners and two are for intermediate-level learners. Courses include:
This PCI DSS Bootcamp on Udemy is taught by SecuritasX™ IT Training, which has trained more than 20,000 students (3,000+ have completed this Bootcamp) and has a 4.3 instructor rating. It’s a 5.5-hour, on-demand course with a practice test and certificate upon successful completion. The bootcamp covers topics such as:
- Basics: Students learn the PCI DSS fundamentals and the 12 PCI standards for secure payments.
- Terminology: Students will learn important terms such as acquirer bank, issuing bank, merchant, requirements, and card network.
- Identity access and risk management: Students gain a comprehensive understanding of identity access management & risk management concepts for information security.
This Udemy course was created by Taimur Ijlal, an award-winning cybersecurity leader and instructor with 20+ years of international experience in cyber-security and IT risk management in the fin-tech industry. Iijal has taught nearly 14,000 students (nearly 1,500 who have taken this specific course) and has a 4.4 instructor rating. This PCI-DSS Compliance Masterclass has 7 sections and 22 lectures covering topics such as:
- Overview and history: The course provides an overview of PCI DSS and a history of the standard.
- Requirements: Students learn the 12 PCI DSS requirements and how to implement them.
- PCI DSS v4.0: Students learn about the changes and updates in the latest version and how to prepare for the more customized approach in the new version.
@eretmis
Eretmis Academy offers two live online PCI DSS training courses. Both are taught by Dr. Emmanuel Adu, a certified PCI Qualified Security Assessor (QSA) who has decades of experience in information security and the credentials to prove it, including QSA, PCIP, CISSP, CISA, Security+, CySA+, Pentest+, CSAP, CNSP, CNVP, and AWS CP. The course options include:
- Become A PCI DSS Specialist: This course covers the principles of the PCI DSS, PA-DSS, PCI PTS, and PCI P2PE standards, understanding the PCI DSS requirements and their purpose, understanding the transaction flow, using compensating controls, how and when to use Self-Assessment Questionnaires (SAQs), and more.
- Become A PCI DSS Expert: This course covers everything that’s included in the Become A PCI DSS Specialist course plus PCI DSS testing procedures, requirements of specific payment brands, PCI validation and reporting requirements, and real-world case studies.
@Infosec_Train
Infosec Train’s Payment Card Industry Data Security Standard (PCI-DSS) Training is led by certified and experienced trainers and includes 24 hours of instructor-led training. Recorded sessions and practical exercises reinforce learning. Some of the topics covered include:
- Basics: This course covers the four levels and requirements of PCI DSS and the current PCI DSS standard.
- Detailed and up-to-date knowledge: Students learn the 12 PCI DSS requirements and controls in detail, compliance validation, new wireless guidelines, and new and emerging technologies.
- Technical concepts: This course also covers more in-depth technical concepts, such as applicability, scoping and network segmentation, tokenization, encryption patch management and software development controls, incident and response planning, SIEM and log management, and vulnerability scans and pen testing.
@awscloud
The Cloud Audit Academy (CAA) is an Amazon Web Services (AWS) Security Auditing Learning Path. It isn’t exclusively focused on PC compliance training, but it is a big component of the overall program. It’s designed for current and future auditing, risk, and compliance professionals involved in assessing cloud workloads, with a focus on applying cloud-specific verification techniques and using a risk-based approach to cloud audits. There are 3 levels in this learning path, including:
- Level 1: This level includes one foundational course delivered in an e-learning format. Students explore the differences between auditing in the cloud vs. on-premise.
- Level 2: This level includes one AWS-specific course that’s instructor-led and includes real-world risk examples, use cases, and activities with respective control objectives.
- Level 3: This level includes two instructor-led courses: PCI DSS on AWS focuses on evidence to look for, where to find it, and how to apply it to PCI workloads in AWS Cloud. Federal and DoD Workloads in AWS covers NIST SP 800-171 compliance and how AWS services can be used to aid with U.S. Federal and DoD security and compliance requirements.
@Skillsoft
This quick 15-minute course was developed with subject matter support from The Potomac Law Group, PLLC. Intended for use as awareness training for end users of payment systems required by Standard 12.6.1, this course covers three topics, including:
- Your Role in Proper Payment Card Handling: Students learn their role in proper payment card handling.
- Best Practices for Handling Payment Card Information: Students will be able to identify best practices for handling payment card information.
- Knowledge Check: Processing Payment Cards Securely: Students learn how to process payment cards safely.
@Curricula
In this quick 15-minute training, students will gain an understanding of PCI cyber risks through a simple, fun visual experience. Curricula’s PCI Cyber Security Awareness Training is broken down into the 12 PCI DSS requirements, such as:
- Requirement 2: Configuration Standards
- Requirement 4: Encrypt Transmission of Data
- Requirement 12: Documentation and Risk Assessments
@TKA_Training
The Knowledge Academy’s PCI DSS Foundation course is offered in online instructor-led, online self-paced, and on-site delivery formats. It’s designed to provide employees with the essential knowledge they require to play their part in PCI DSS compliance, including:
- Intro to PCI DSS: Students learn about the basics of PCI DSS, its purpose, objectives, and intent, and protecting stored data.
- PCI standards and compliance: Students learn about how payment brands enforce compliance, compliance requirements for merchants and service providers, and compliance reporting requirements.
- Standard requirements and emerging technology: The course wraps up with an overview of the 12 PCI DSS requirements, new standards, and emerging technologies.
@LmsPortals
LMS Portals provides a SaaS, multi-tenant learning management system (LMS), allowing companies to launch and manage multiple portals, or private learning environments, to meet the training needs of various roles. LMS Portals offers a Corporate Training Library with more than 130 workplace training and employee development courses in categories such as human resources, management, and regulatory compliance. The PCI awareness course covers topics such as:
- Secure systems: Building and maintaining secure networks and systems
- Access control: Implementing strong access control measures
- Security policies: Developing and maintaining an information security policy
@TeachPrivacy
TeachPrivacy was founded by Professor Daniel J. Solove, a leading expert on privacy and data security law and a law professor at George Washington University Law School. TeachPrivacy offers security awareness training, privacy awareness training, and training on several laws and regulations, including FERPA (Family Educational Rights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), and PCI DSS. TeachPrivacy’s PCI compliance course covers topics such as:
- Overview: An overview of PCI DSS, identifying payment card data, threats, and costs and penalties for non-compliance
- Payment card data collection and storage: Minimizing data collection, data storage and disposal, and physical security
- Protecting payment card data: Network protection, checking for tampering, and strong password practices
@vascopatricio
This Udemy course is created by Vasco Patrício Executive Coaching, which provides executive coaching for C-Level executives, VPs, and senior corporate leaders. More than 5,000 students have taken this best-selling course, which has a rating of 4.6 and includes 11.5 hours of on-demand video and 77 downloadable resources. The Fundamentals of PCI-DSS course covers topics such as:
- The assessment process: Everything about how the PCI DSS assessment process works, including RoCs (Reports on Compliance) and the 8 types of SAQs (Self-Assessment Questionnaires)
- Requirement 8: Identifying access with unique user IDs, multi-factor authentication (MFA), and strong password best practices
- Requirement 12: Information security policies, employee screening, and third-party screening
Offered by Wilder Angarita, a cybersecurity professional, this Udemy course includes 8.5 hours of on-demand video. The course covers topics such as:
- The card payment cycle: The full card payment lifecycle from authorization to clearing and settlement
- Self Assessment Questionnaires: The different types of SAQs and examples of how to fill out the SAQ
- PCI-DSS v4 requirements: All requirements of PCI DSS v4, including requirements 1 to 12 and all sub-requirements
The general deployment of Maven Edu’s PCI 4.0 Awareness Training & Education course is a beginner-level course for employees designed to meet the new training requirements in PCI Requirement 12.6 from PCI version 4.0. Specialized deployment is also available, which is designed for security, PCI, and governance experts. The course includes topics such as:
- Introduction and overview: An overview of PCI DSS v4.0, its requirements, and roles and responsibilities
- Reporting: An overview of reporting requirements and what happens when compliance fails
- Threats: A look at the current threats facing the payment card industry, social engineering, phishing statistics, data protection, and policies and procedures
ITPA Training provides a full catalog of training courses on security, privacy, regulatory compliance, and other topics. Its free employee training center enables companies to deliver, manage, and document employee training for compliance audits. ITPA Training offers two courses directly related to PCI compliance, including:
@Kallidus
Kallidus is a suite of human resources and learning and development software to support the complete employee lifecycle, from onboarding to upskilling, performance management, compliance training, and more. Its interactive PCI DSS Online Course is designed for any employee who handles credit card or debit card payments. The 45-minute course includes a 5-minute post-course test and covers topics such as:
- Importance of PCI DSS: An overview that explains why the PCI DSS is so crucial in protecting customers and businesses
- Responsibilities: Staff responsibilities when handling credit or debit card payments
- Security: How to accept credit and debit card payments safely and securely
Other PCI compliance training resources
@CybeReady
CybeReady is an end-to-end employee training program that includes security awareness training, phishing simulations, and AuditReady, its compliance tool designed to help companies stay compliant with mandatory training requirements and ensure they have all the verification necessary for an audit whenever it’s needed. Some of the resources include:
- Phishing Simulations: BLAST - Behavioral Adaptive Simulation & Training is CybeReady’s phishing simulation program. An automated engine recommends the best phishing simulations, leverages machine learning to assign department-specific simulations, and provides personalized training based on employees’ performance.
- Security Awareness Bites: An interactive security newsletter, CAB (Continuous Awareness Bites) automatically delivers training bites to employees’ email inboxes, along with a short quiz to boost understanding. Managers can track KPIs to monitor employee engagement and performance.
- AuditReady: With CybeReady’s compliance solution, managers can easily send training and reminders to employees, track completion and performance and instantly generate compliance reports for an audit.
@wizertraining
Wizer’s PCI training program for employees provides simple, short, 1-minute explanations for essential PCI DSS concepts for easy understanding. Wizer provides automated reporting for easy compliance verification during audits. It covers three key areas, including:
- Limited use: Limited use on devices that handle card payments
- Strong passwords: Strong and unique password practices for logins
- Identity verification: Verifying identities of third-party providers
@BrightTALK
BrightTALK is a global B2B platform for webinars and virtual events. Its PCI DSS category includes more than 10 videos and talks from industry experts, including on-demand videos as well as upcoming talks, such as:
- PCI DSS v4.0 - Navigating the Seven Cs: This 60-minute talk is presented by Sam Junkin, Matt Arntsen, Ciske van Oosten & Peggy Nolan, focuses on the significant changes and updates in PCI DSS v4.0. Presenters will discuss how to conquer the constraints most businesses face during the transition (“seven Cs”).
- Protect Sensitive Data (and be PCI Compliant, too!): Presented by Kevin Poniatowski, Principal Security Instructor at Security Innovation, this nearly 1-hour talk discusses how to make data theft more difficult for attackers and how to ensure that data is unusable if stolen.
- PCI DSS 4.0: Compliance in a Rapidly Evolving Payment Landscape: This 70-minute talk is presented by Juan Carlos Hernandez, the Practice Leader for PCI at 24By7Security. Hernandez talks about the importance of PCI compliance and many of PCI 4.0's main changes to aid companies in meeting compliance by the deadline.
@Im_Ninjio
This original 4-episode series takes a storytelling approach to provide an understanding of PCI compliance for employees who have access to or handle payment card data in their day-to-day responsibilities. The 4-part series covers topics such as:
- Requirement 7.1: Limiting access to cardholder data and systems to employees who require access to perform their job duties
- Requirement 9.7: Implementing control mechanisms and maintaining strict control over media storage and accessibility
- Requirement 12.6: Implementing a formal security awareness program to ensure all employees understand PCI DSS requirements and procedures
Training is an essential requirement of the PCI DSS, but continuous enforcement and training is the key to ongoing compliance. The Reveal Platform by Next takes a proactive approach to compliance management by enforcing relevant laws and regulations to change employee behavior.
The first DLP agent to deliver Machine Learning on the endpoint, Next’s smart agent identifies and categorizes data at the point of risk and leverages multiple behavioral analytics algorithms to differentiate typical vs. non-typical behavior. Automating enforcement, Reveal provides incident-based user training in real-time to empower employees and enable a positive security culture. Assess the performance of your DLP solution and the accuracy of your DLP policies with our DLP Policy Testing Tool.
Book a demo today to discover how Reveal can simplify your PCI DSS compliance management.
Frequently asked questions
What is PCI compliance and do I need it?
PCI compliance means that a merchant has implemented the appropriate standards for protecting payment cardholder data. These standards are set forth by the PCI Security Standards Council (PCI SSC), which comprises the major credit card companies including:
- American Express
- Discover
- JCB International
- MasterCard
- Visa Inc.
While PCI DSS is not law, it is required by the PCI SSC for any merchant who accepts or processes payment cards.
What is PCI compliance training?
PCI compliance training can generally be categorized as one of the following three types:
- Training for assessors: This is the training provided by the PCI Security Standards Council to qualify individuals and organizations to assess and validate compliance and help merchants implement PCI compliance standards and solutions.
- Training for employees: There are various vendors offering PCI compliance training for employees. These programs are designed to ensure employees understand PCI DSS and their responsibilities. This training is required for companies to meet the employee training requirements of the PCI DSS 12.6 standard.
- Training for professionals: PCI compliance training for professionals is also offered by various vendors. This training is designed for professionals in technical roles such as systems administrators, computer systems analysts, IT administrators or management roles, such as department managers and vendor managers.
Is PCI training required?
Yes. PCI training is required for those who wish to be certified to perform assessments for other entities and help clients or companies implement compliance measures. In addition, PCI DSS standard 12.6 requires that companies subject to PCI DSS compliance implement a formal employee security awareness program.
What are the 4 levels of PCI compliance?
The four levels of PCI compliance are based on the number of payment card transactions the merchant processes each year. These levels are:
- Level 1: Merchants that process 6 million+ payment card transactions annually
- Level 2: Merchants that process 1 million to 6 million payment card transactions annually
- Level 3: Merchants that process 20,000 to 1 million payment card transactions annually
- Level 4: Merchants that process less than 20,000 payment card transactions annually
What qualifies for each level may vary slightly among major credit card companies. However, Visa, MasterCard, and Discover all follow the same merchant level criteria. Higher levels require more rigorous assessment and compliance validation procedures.
