University Security Awareness Education

PCI Compliance Town Halls (December 2017)

Thanks for joining us at one of our PCI Compliance town hall sessions! The session's recording and presentation slides are provided below.

Pursuant to PCI DSS requirement 12.6, Northwestern's e-Commerce Operations will hold centralized PCI DSS Security Training annually. At least one representative from each Merchant location must attend the centralized training. Though it is at the discretion of the department whether to send additional employees to the central training or to disseminate the information through its own security awareness program, Treasury Operations and/or e-Commerce Operations may require individual or group participation in this and/or other forms of PCI DSS security awareness education training offerings whenever they see fit.

ALL University Merchant Personnel who interact with the CDE (Cardholder Data Environment) in any manner, from the initial entry to the final reconciliation, are required to complete the University's PCI DSS Security Awareness Training and Attestation annually. This mandatory requirement includes student employees and contractors. The current year's PCI DSS Security Awareness Training and Attestation presentation can be found in the Resources section below. 

  • Important: individuals who have not completed this training may not process CHD (Cardholder Data) on behalf of University interests, and Merchant locations using untrained, un-attested individuals to process CHD may have their merchant account revoked.

Before completing this Training and Attestation, each Merchant employee, student employee, or contractor must first read and understand the University's PCI DSS Compliance Program and Compliance Policy found below.

Northwestern Security Awareness Education Training Resources:

  1. MAIN MODULE (allow 45 minutes) – for all applicable staff and contractors
  2. MODULE FOR MANAGERS (allow 20 additional minutes) – for managers or supervisors of staff who handle payment card transactions, who are responsible for reporting and reconciliation, and who manage or direct related activities.
  3. MODULE FOR IT STAFF AND THIRD PARTY SERVICE PROVIDERS (TPSPs) (allow 15 additional minutes) – for any person involved in the design, development, implementation, maintenance, or administration of any system that involves payment card transactions or data.
At the end of the Main Module, you'll be asked about your role and can then proceed via link to the online attestation form if not required to complete the Manager or IT Staff/TPSP Modules. After each of those additional modules, the link to the attestation form is also provided.