PCI compliance is one of the more complex aspects of running any business that accepts payment cards from customers. Protecting customer data is a multi-faceted process that encompasses everything from electronic protections to adhering to specific guidelines for the training and education of employees. While all aspects of the compliance plan are important, one might argue that the training portion of PCI compliance is the most important piece.
Studies of recent data breaches indicate that the majority (at least 40 percent) are directly attributable to individual negligence. An additional quarter of all attacks stem from malicious attacks, many of which can be traced back to individual errors or negligence as well. Because all it takes for customer data to be compromised is a single employee opening a phishing email or failing to secure a payment terminal, it’s vital for businesses to provide ongoing training in security awareness.
What Is Security Awareness Training?
Per PCI DSS requirement 12.6, your business must “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.” Personnel must be trained upon being hired, and receive refresher training at least once per year. Employees must also acknowledge that they have read and understood the security policy and procedures at least once per year.
PCI compliance guidelines state that security awareness training must be role-based; that is, while all employees should understand their role in cybersecurity and the protection of data, those in specialized or managerial positions require different levels of security awareness. For example, while a customer service representative or clerk may need to be trained in general BASYS processing best practices as well as policies for keeping cardholder data secure during transactions both in-person and over the phone, a manager will need additional training in social engineering, BYOD security, phishing, and other forms of attack.
Training should be developed by a security awareness team, comprised of representatives from different levels and branches of the company, and made available in multiple formats to best meet the needs of all employees. Some companies opt instead to purchase training materials from an approved vendor.
Security Training Basics
Most PCI-compliant security training covers a few basic topics, including DSS requirements, how to recognize fraud, how to recognize and make use of card security features, how to safely handle card payment information, and issues in IT and the back office related to card security. Within those topics, most courses will explore phishing, social engineering, malware, password management, desktop and wireless security, and physical security. Again, the complexity and depth of this training depends largely on the employee’s role in the company.
What most experts note, though, is that while the content of training programs is generally thorough, training isn’t offered often enough to keep security awareness at the forefront of employees’ minds. Most businesses follow the PCI guideline of requiring a refresher at least once per year, but to maintain top-of-mind awareness, more frequent training is recommended. Offering refresher training on a quarterly basis can significantly reduce the likelihood of a security incident.
It’s also important to keep detailed and complete logs of employee security training. If you are governed by PCI DSS standards, you must submit a Report on Compliance each year — and if you conduct more than 6 million transactions each year, that compliance audit is even more rigorous, and must be conducted by a QSA. In either case, demonstrating compliance relies at least partially on providing proof that you have conducted the necessary employee training, and followed the security awareness training protocols.
The PCI council also recommends that employers conduct regular interviews of personnel to ensure that they have completed their training and understand both the importance of protecting payment information and their role in doing so. These regular “check-ins” can help identify gaps in training on both individual and company-wide scales, and show you where you might need to provide additional or more in-depth training.
Complying with PCI DSS standards is a complex process. You cannot simply run down a checklist, ticking off items as you go. Protecting both your business and your customers requires a great deal of attention to detail and, to an extent, jumping through some hoops. However, that work will pay off when your business is protected against serious data breaches and the problems that they bring.
