Options

Security around PCI, Credit Card and personal data?

DatabaseHeadDatabaseHead Member Posts: 2,753 ■■■■■■■■■■
in Security Awareness & Training
Anyone know of any good training that covers PCI, Credit Card and Personal Data at the web / app layer.  I am working on several projects and a huge gap for me personally is the API security layer.  If it ties to a certification track that I may pursue down the road, even better.  The main take away however is the knowledge.  

I've did my own research but I keep going down rabbit holes with out any idea of the training is enough.....
Tagged:
· Share on FacebookShare on Twitter

Comments

  • Options
    thomas_thomas_ Member Posts: 1,012 ■■■■■■■■□□
    I don't know of any training.  I did look into PCI compliance because I wanted to start doing e-commerce.  I realized pretty quickly that just running a WordPress website with WooCommerce wasn't going to be compliant.  I researched third party payment gateways to reduce what was in scope, but ultimately ruled out most of them for one thing or another.  One of the companies I had high hopes for that seemed to really understand PCI compliance surprised me when they said they wouldn't be willing to give me an Attestation of Compliance even though the PCI-DSS guidelines clearly state:

    "12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?"

    "12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?"

    Ultimately, I came to the conclusion that I think most small businesses just check the box and say they are compliant without really being compliant or don't even realize that they have to be compliant.  I only found out about PCI-DSS because I read Stripe's terms and conditions which stated that I needed to be PCI compliant at all times.  I decided to go with Shopify instead of doing a WordPress website because when I contacted them about the issue they said they would give me an Attestation of Compliance.  In the end it was kind of moot because I still haven't put up the website and started selling stuff.

    Here's a link related to what I was discussing above:

    https://pciguru.wordpress.com/2015/07/11/get-over-it-you-are-a-service-provider/

    I would say read the PCI-DSS guidelines that are applicable to you and take notes of what you think might be relevant.  Afterward research to see if there are ways to make it out of scope or if it's even in scope to begin with.
    · Share on FacebookShare on Twitter
  • Options
    MeggoMeggo Registered Users Posts: 197 Admin
    Have you checked out the PCI DSS website recently? They have quite a few courses listed on their site around PCI DSS compliance for a variety of roles: 

    https://www.pcisecuritystandards.org/program_training_and_qualification/

    If they don't have what you're looking for, I bet they could point you in the right direction. 

    Hope this helps!

    -Megan
    Director of Product Marketing at Infosec
    Who we are | What we do 
    · Share on FacebookShare on Twitter
Sign In or Register to comment.