Because I don’t care how long the password is or how secure the firewall is if employees just start plugging in random USB sticks they found in the parking lot.
Why This Training Exists
If your business accepts credit cards, every employee who touches a register, a workstation, or the business network needs this training. PCI DSS Requirement 12.6 says so — annually, no exceptions.
Just kidding. You should be training every single employee how to do these things. It’s free real estate. If I offered you a free house, are you really gonna turn it down because it doesn’t come furnished? No! Do the free training.
How to Spot a Phishing Email
Phishing is everywhere. They see how much personal info and private data you have and they want you. They want you bad. They stoop so low as to spam your inbox, your phone, your mail, your Facebook, your dating apps, they’ll even spam your grandma if they have to. And sadly, knowing all of that, we still have to venture out into the digital age and persist. So protect yourself with tips, tricks, and tools. You won’t be able to read minds, but you can read the Reply-To: and hit the “Report Spam” button, can’t you?
Phishing emails are a lot like dating. You’re gonna see a lot of red flags. Here are some to watch out for:
Urgent or threatening language
“Your account will be closed in 24 hours” or “Immediate action required.” It’s only urgent if it causes enough panic in your heart to send you running into the strong, firm embrace of your IT admin’s inbox. If you’re not scared enough to seek help, it ain’t all that urgent. Don’t let them fool you with scary words and meaningless language. If you’re scared, don’t worry, I’ll wrap you in a warm Support Ticket and stoke the firewall ♥
Display names? More like Display lies
Display Names, as you’ve probably noticed from making your own, are entirely made up. You can put down anything your heart desires, can’t you? Well the same freedom applies to spammers and grifters. They can and do change their display names to say things like “Amazon Support”; but they’re lying. Go look at the Sent email address.
✓
✗
Does it say “support@amazon.com” or does it actually say “amaz0n.com”?
What phishing actually looks like
These are not hypothetical. These are the kinds of emails that land in real inboxes every single day.
“ACTION REQUIRED: Verify your direct deposit information.” — Looks like it came from HR. Same logo, same signature block, same font. But the Reply-To goes to a Gmail address. They’re hoping you’ll hand over your bank routing number before you notice.
Generic greetings
“Dear Customer” and “Dear User” are just Stranger Danger dressed up in a trench coat. Don’t know my name? Then I don’t need to know yours, punk. :D Stop wasting my time. My bank knows my name just fine. Even Reddit calls me by my fake internet name, like a gentleman. Don’t fall for “Dear Stranger.”
Suspicious links
Hover the link to check it first. If you hover it for ~3-5 seconds, it should make a bar appear with the full link listed. If it says it’s a link to Facebook but then the hover readout says “http://www.superfakelink.com/fakeprofile25258922” then it might be a scam. Why doesn’t it take you to facebook.com? Because it’s lies. Go back and check the Reply-To: and Sender email again. Still nothing but a suspicious link that makes you feel the grip of uncertainty? Everything is gonna be alright, we’re here, let IT reassure you.
Attachment Styles
Everyone has a different attachment style. Some of us are stand-offish and send Word documents. Some of us are mature and use PDF. Others still, send OpenOffice files like degenerates. We’re each different, but we are all vulnerable to attacks. Anything from .zip, .exe, to Office files asking for macro access. It’s a jungle out there, so bring a machete named Antivirus. Never accept a download from an unexpected person, unexpected time, or unexpected source. Go ask the sender, through proper channels: “Hey, did you send me this?” It doesn’t need to be complicated. From your boss to your bank, go ahead and circle back with them with known, secure means of communication to make sure. Don’t ignore your gut. If you wanna page IT, it’s okay. We just can’t wait to hear your call.
“Shared document: Q4 Budget Review.xlsx”
“Oh look, an email from Steve,” you think to yourself as you glance down at your phone. Wait. An email from Steve? The beginnings of a question form, but before you can finish thinking it, you glance up.
There’s Steve. He’s talking to you right now.
Maybe he sent it earlier and it just took a second to get it? What a weird coincidence.
With a nervous chuckle, you show him your phone and say “Haha, look, you just emailed me!”
Steve glances at the phone. Then back at you.
A man who trusted the familiar face of a friend — only to find that trust had been borrowed by a stranger. A reminder that in the digital age, even Steve isn’t always Steve. Filed under: cautionary tales… from the Twilight Zone.
Requests for credentials or card numbers
That guy on the other end claiming to be tech support and he just needs to verify your identity to unlock your account? He’s — and say it with me, class — lying. Your account isn’t even locked right now. Hang. Up. The. Phone. If someone calls and says there’s a problem, tell them you’ll call back at the main line. If they’re pushy, push back harder and fight dirty. Get super swamped with work — “Oh no, someone just walked into my office, I have to go. I’ll call the IT department main line later! Bye-sies!” Buy yourself time to think over the interaction and form an opinion on what exactly they were asking of you. The IT department would never be so pushy with you. We respect your boundaries, boo. If it’s giving “odd” or makes you furrow your brow, that’s your threat detection system flagging it for investigation. Mull it over. Who did they say they were? Is there any proof of that claim that I can dig up? Where can I go to confirm this information independent from what that person said? Well, if the “bank” sends you an email about locking your account, look on the back of your card and call their hotline. If “IT” calls and needs your passwords, you should reject this call; IT already has access to your account. Contact the real IT department to make a report.
When in doubt, don't click. Contact the sender through a known channel — call the number on their official website, not the number in the email. Call me, beep me, if you wanna reach IT. Whenever you need IT — it doesn’t matter where or when there’s trouble.
Social Engineering
Phishing is just one type of social engineering. Attackers also use phone calls (vishing), text messages (smishing), and in-person deception to manipulate employees into giving up information or access they shouldn't.
Common scenarios
"I'm from your payment processor. I need to verify your merchant ID." — Your payment processor does not call you to verify your merchant ID. If someone claims to be from your processor, hang up and call the number on your processing statement.
"I'm the new IT guy. I need the Wi-Fi password." — Verify through your manager before giving network credentials to anyone, even if they look the part. Attackers dress professionally and act confident.
Tailgating through secured doors. — Someone follows an employee through a locked door without badging in. They carry a box or look like a delivery driver to avoid suspicion.
"I left my card inside. Can you let me behind the counter?" — A pretext to get into restricted areas. It works because people default to being helpful.
The pattern is always the same. Social engineering works by exploiting trust and creating urgency. The attacker wants you to act fast and skip the verification step. The defense is simple: verify through a separate channel before acting on any request for access, credentials, or sensitive information.
Password Hygiene
Weak passwords are one of the easiest ways for an attacker to get in. PCI DSS 4.0 requires a minimum of 12 characters for all passwords. But length alone is not enough — how you manage your passwords matters just as much.
Rules every employee must follow
Never share your login with a coworker — not even temporarily. PCI DSS requires unique IDs for every user so that actions can be traced to individuals.
Never write passwords on sticky notes, under keyboards, or taped to monitors. An auditor will find them. So will an attacker.
Use the company password manager. Your employer provides one so you don't have to memorize anything beyond a single master password. (This ties into the technical controls covered in the hardening guide.)
Never reuse work passwords on personal accounts. If your personal account gets breached, the attacker now has your work credentials too.
If you think your password has been compromised, report it and change it immediately. Don't wait. Don't assume it's fine. Report it and reset it.
Practice
Good
Bad
Password length
12+ characters, using a passphrase
8 characters or fewer
Storage
Company password manager
Sticky note, spreadsheet, text file
Sharing
Never — each person has their own login
"We all use the same POS login"
Reuse
Unique password for every account
Same password for work email and personal Netflix
Compromised password
Report immediately, change it now
"It's probably fine, I'll deal with it later"
Multi-factor authentication
Enabled on all accounts that support it
Disabled because it's "annoying"
Day one: ask your manager for access to the company password manager. If the business does not have one yet, that is a conversation worth having. Free options exist. One master password replaces every sticky note, every shared login, and every “I forgot” call to IT.
POS Tamper Checks
Skimming attacks install small devices on card readers to steal card data as customers swipe, dip, or tap. These devices can be almost invisible — thin overlays on PIN pads, fake card slots, or tiny cameras aimed at the keypad. Your daily inspection is the first line of defense.
Daily inspection routine
Wiggle the card reader. It should be firmly attached to the terminal, not loose or wobbly. A skimmer sits on top of or over the real reader and will feel different.
Check the PIN pad. Feel for extra thickness, misaligned buttons, or anything that seems like an overlay sitting on top of the real pad.
Inspect the cables. Look for anything spliced in, extra wires, or unfamiliar devices attached between the terminal and the wall or network connection.
Compare to a reference photo. Keep a photo of what the terminal should look like when it's clean. Compare against it every shift. Differences are easier to spot side by side.
Check for hidden cameras. Look for small holes or unusual objects pointed at the PIN pad — a tiny camera could be capturing PINs as customers type them.
Inspect tamper-evident seals. Many terminals have security stickers over screw holes and seams. If a sticker shows "VOID," is torn, or looks like it has been peeled and reapplied, report it immediately.
This inspection takes about 30 seconds per terminal. Do it once per shift — at the start, before you process any transactions.
If anything looks wrong, do NOT continue using the terminal. Unplug it, report it to your manager, and switch to a backup device. Do not try to remove a suspected skimmer yourself — leave that to law enforcement or your payment processor's fraud team.
Card Data Handling
Card data is the most sensitive information your business handles. PCI DSS exists specifically to protect it. As an employee, your job is to make sure card data never leaves the POS system.
What you must NEVER do
Never write down a customer's card number — not on paper, not in a text message, not in an email, not in a chat. Nowhere.
Never photograph a credit card. Not even "just to process it later." There is no safe way to store a photo of a card.
Never process a transaction on a personal phone or device. Only use company-approved POS equipment.
Never read a card number aloud in a way others can hear. If you need to verbally confirm digits with a customer, lower your voice and keep it between you and them.
Never store card data anywhere other than the POS system. No spreadsheets, no notebooks, no "backup" files. The POS system handles encryption and tokenization — nothing else does.
What if a customer wants to pay over the phone?
If a customer wants to pay over the phone, do not take the card number. Send them a payment link or a hosted payment page instead. Taking card numbers verbally puts the business in a higher PCI scope — more auditing, more paperwork, more risk. There is no upside.
If you accidentally see or handle card data outside the POS system, report it. It is not a fireable offense to make a mistake. But hiding it is a compliance violation — and that creates real consequences for the business and for you.
Physical Security
Digital security means nothing if someone can walk up to an unlocked workstation or wander into your server room. Physical access is the fastest path to a breach.
Lock your workstation every time you step away. Win+L on Windows. Cmd+Control+Q on Mac. Every time. Even if you're just walking to the back for 30 seconds.
Don't let anyone you don't recognize behind the counter or into back-of-house areas. It doesn't matter what they're wearing or what they say they're there for.
Challenge strangers in restricted areas. A simple "Can I help you find someone?" is enough. If they belong there, they'll have an answer. If they don't, you've just stopped a potential intrusion.
Don't hold doors open for people you don't recognize. Tailgating is one of the oldest physical security attacks, and it works because people are polite.
Keep server rooms and network closets locked at all times. Only authorized personnel should have keys or access codes.
Shred before you trash. Any document with card or customer data gets shredded, not tossed. See the Document Shredding Policy below for what counts and what kind of shredder to buy.
USB and Unknown Devices
If you find a USB drive in the parking lot, at the front counter, or "left by a customer" — do not plug it in. This is not hypothetical. It is a real attack technique called a USB drop, and it is specifically designed to exploit curiosity.
Never plug in a USB drive you found. Not into your workstation, not into the POS terminal, not into your personal computer. Hand it to your manager.
Only use company-approved devices. If you need a USB drive for work, your employer will provide one.
Don't plug personal phone chargers into POS terminals or business computers. Use a wall outlet or a dedicated charging station. USB ports on business machines are data pathways, not power outlets.
The malware executes the moment the drive is plugged in — no clicking required. There is no safe way to “check what’s on it.” Hand it to your manager and let them deal with it.
Safe Browsing and Wi-Fi
How you use the business network matters. Every device connected to it is a potential entry point for an attacker — and every personal device that shouldn't be there expands the attack surface.
Don't use personal email on work computers. Personal email is a common delivery mechanism for phishing and malware. Keep it on your phone, on the guest Wi-Fi.
Don't download software without approval. Even something that seems harmless — a browser extension, a PDF tool, a "free" utility — could contain malware or create a vulnerability.
Don't dismiss Windows Update or security alerts. Those updates patch known vulnerabilities. Clicking "remind me later" every day for three months is how systems get compromised.
Personal phones go on the guest Wi-Fi, not the business network. Your manager or IT admin can give you the guest network password. The business network is for business devices only.
The network is segmented into VLANs for a reason. Personal devices on the business network put the card reader in PCI scope — one compromised phone becomes a compliance problem for the entire business. Guest Wi-Fi exists so your personal devices have internet access without touching anything sensitive.
Document Shredding Policy
PCI DSS Requirement 9.4.6 requires that hard-copy materials containing cardholder data be destroyed when no longer needed, using a method that renders the data unrecoverable. For paper documents, that means a cross-cut shredder — not a strip-cut, and definitely not the recycling bin.
What must be shredded
Any document with card numbers, even partial. Receipts, transaction logs, handwritten notes, refund paperwork — if it has digits from a card number, it gets shredded.
Customer information printouts. Names, addresses, phone numbers, email addresses tied to transactions.
Old reports and statements. End-of-day reports, batch settlement printouts, monthly statements from your payment processor.
Voided or declined transaction receipts. A voided receipt still has card data on it. Shred it.
Anything you would not want a stranger reading. When in doubt, shred it. The shredder is cheaper than the breach.
Cross-cut vs. strip-cut
Strip-cut shredders slice paper into long ribbons. Those ribbons can be reassembled — it is tedious, but it has been done in real investigations. Cross-cut shredders cut in two directions, producing small confetti-like particles that are practically impossible to reconstruct. PCI compliance means cross-cut, P-3 or higher. That is more than enough teeth for a small business.
Recommended shredders
A compliant shredder is a one-time purchase under $50. These are budget-friendly options that handle paper, credit cards, staples, and paper clips:
Model
Type
Sheets
Approx. Price
Bonsaii C237-B
Cross-cut
8
~$35
Amazon Basics 8-Sheet
Cross-cut
8
~$40
Aurora AU1230XA
Cross-cut (anti-jam)
12
~$45
All three shred credit cards and handle staples without requiring removal. Prices are approximate as of 2026 — verify current availability before purchasing.
This is one of the cheapest security upgrades you can make. A $35 cross-cut shredder next to the register or in the back office turns a compliance gap into a closed item. Buy one, plug it in, and train your staff to use it for anything with cardholder data. Done.
Incident Reporting
A security incident is anything that looks wrong, feels wrong, or breaks the rules covered in this training. You do not need to be certain something is an attack to report it. If something seems off, say something.
What counts as a security incident
A POS terminal that looks tampered with or feels different than normal
A phishing email — whether you clicked on it or not. Forward it to your manager.
A lost or stolen work device (laptop, tablet, phone used for business)
Suspicious login activity or an account that keeps getting locked out
A customer reporting unauthorized charges after visiting your business
Any violation of the rules in this training — yours or someone else's
What to do
StopDon't try to fix it yourself. Don't investigate. Don't "see if it happens again." Stop what you're doing with the affected system.
ReportTell your manager immediately. Not in an hour, not at the end of your shift — now. Every minute of delay gives an attacker more time.
PreserveDon't delete anything. Don't clear your browser history. Don't unplug anything — unless it's a tampered POS terminal, in which case unplug it and set it aside.
DocumentWrite down what happened, when it happened, and exactly what you observed. Details matter for the investigation that follows.
You will not get in trouble for reporting a false alarm. You will get in trouble for sitting on a real one.
Training Schedule
PCI DSS requires annual security awareness training, but annual is the bare minimum. Best practice is quarterly refreshers — short sessions that reinforce the key points and cover any new threats.
New employees: Security training on day one, before they touch any system, any register, or any workstation. No exceptions.
Annual requirement: Every employee completes full training once per year. This is what PCI assessors check for.
Quarterly refreshers: Brief sessions covering new phishing techniques, recent incidents, or reminders on specific topics like tamper checks or password hygiene.
After any incident: Immediate refresher training for the affected team. If something went wrong, make sure everyone understands what happened and how to prevent it next time.
Keep records: Document who completed training and when. Your PCI assessor or acquiring bank will ask for proof. A sign-in sheet or training log is sufficient.
This training is one piece of a larger security program. For the technical controls that support these practices — network segmentation, firewall rules, system hardening — see PCI Hardening Basics. To understand the business case for why all of this matters, see The Importance of PCI Compliance.
This guide is provided for educational and portfolio purposes. It reflects general best practices and does not constitute professional security consulting for your specific environment. Consult a qualified professional for your business’s security needs.