All organisations that transmit, process or store payment card data, or affect its security, must meet the requirements of the PCI DSS (Payment Card Industry Data Security Standard). The currently applicable version of the PCI DSS is v4.0.1, a limited revision to PCI DSS v4.0.
The PCI DSS consists of a standardised, industry-wide set of requirements and processes for:
- Policies;
- Procedures;
- Software design;
- Security management;
- Network architecture; and
- Critical protective measures.
The Standard also has a requirement for security awareness training.
This blog explains what the PCI DSS requirements are for staff awareness training, to whom they apply and how to prove compliance.
What are the PCI DSS requirements for security awareness training?
Sub-requirement 12.6, “security awareness education is an ongoing activity”, demands that you:
- Implement a formal security awareness programme. This must make all staff aware of your information security policy and procedures, and their own role in protecting cardholder data.*
- Give all staff security awareness training upon hire, and at least annual refreshers.
- Use multiple methods to communicate awareness to, and educate, staff.
- Ensure staff acknowledge at least annually they’ve read and understood the information security policy and procedures.
- Review your awareness programme at least annually.
- Update your programme (when needed) to address new, relevant threats and vulnerabilities.
The Standard specifically mentions in sub-requirement 12.6.3.1 that the training must raise awareness of threats and vulnerabilities that can impact the security of account data. This includes phishing and social engineering.
The training must also raise awareness about acceptable use of end-user technologies (sub-requirement 12.6.3.2).
*QSA (Qualified Security Assessor) Stephen Hancock gives six practical tips for making cyber security everyone’s responsibility in this blog.
Who must meet this sub-requirement?
Not every organisation within scope of the PCI DSS must meet every sub-requirement. This free green paper explains in more detail how you can reduce your scope to simplify PCI DSS compliance.
However, staff awareness is such an important part of data security that most organisations must implement an awareness programme. Only SAQ A merchants are exempt.*
This is understandable: the insider threat is the biggest security risk for organisations. According to Verizon, more than two-thirds of data breaches are caused by a human element, whether that’s human error or clicking a phishing link.
And as Damian Garcia, our head of GRC consultancy, pointed out in this interview:
Out of all the ways you can address the internal threat, staff training is the most obvious solution. If you don’t invest in basic training and awareness, you’re going to suffer more data breaches. It really is that simple.
*SAQ A is available to card-not-present merchants that fully outsource all account data functions to PCI DSS-compliance third-party service providers only. Our free paper provides an overview of the different SAQs (self-assessment questionnaires) to help you choose the right one:
Extract from page 6 of PCI DSS Compliance – Simplifying your SAQ submissions
How can I prove compliance?
Often, simply achieving PCI compliance isn’t enough. You must also be able to demonstrate it – particularly during an investigation or audit.
The Standard itself specifies ‘testing procedures’ – what an auditor must check for during a PCI audit. Or, to put it another way, the types of evidence an assessor can rely on.
Documentation is a good place to start:
- Does your written security awareness programme, and relevant policies and procedures, cover the PCI requirements?
- Is the content of the programme adequate?
- Do you have records to show completion rates, and that staff take the course upon hire and retake it at least annually?
- Does the programme account for multiple communication methods?
In a PCI DSS audit, the QSA will also interview staff to confirm they’ve completed the training and verify your documented evidence.
Meet your PCI DSS requirements cost-effectively
Meet your staff awareness requirements, and avoid data breaches, with our PCI DSS Staff Awareness E-learning Course.
At just 45 minutes long, this course is ideal for initial and repeat engagement. All staff will receive the same training, at a time and place that suits them. You can also track participation and test results to build an audit trail.
With in-depth, engaging content and activities, you can turn staff from a security risk into a security asset.
Don’t take our word for it
Here’s what our customers say:
Amanda:
We use this course for all our new starters and ongoing reminder training for all CDE staff. It’s easy to buy more licences, easy to administer and manage licence allocations to staff. The content is presented in a good easy-to-digest format and the course meets with expectations. I would be happy to recommend the course.
Catherine:
Wanted an all in one PCI staff training solution and this certainly fits the bill – ordered and delivered really quickly – content covered all we required – recommended value for money.
Debbie:
A really useful insight for staff on the subject of PCI – recommended for those needing to have an overall understanding – language used was jargon-free and I would have no hesitation in endorsing the product, value and service delivered by IT Governance.
Also looking for awareness training on ransomware, email misuse, and more?
Check out our Complete Staff Awareness E-learning Suite – a cost-effective option containing more than 24 elearning courses, covering the PCI DSS, phishing, ransomware, email misuse, and much more.
We first published a version of this blog in December 2014.
The post How to Easily Meet the PCI DSS Awareness Training Requirements appeared first on IT Governance UK Blog.