For your organization’s PCI security controls to be effective, your employees must be trained on best practices to safeguard sensitive cardholder data. Compliance with the PCI awareness training requirements will help keep your employees informed of these practices and ensure your data remains secure year-round. Read on to learn more about these requirements.
What are the PCI Awareness Training Requirements?
PCI awareness training helps your employees gain familiarity with the PCI DSS Requirements and empowers them with the knowledge and skills to safeguard cardholder data from security threats. Our overview of the PCI awareness training requirements below will help you learn:
- What PCI DSS Requirement 12 comprises
- How to develop a PCI security awareness program
- How to implement PCI security awareness training
Compliance with the requirements will also help you organize effective PCI security awareness training that benefits your organization in the long run. That proactivity is most effective when guided by a trusted PCI compliance partner.
PCI DSS Requirement 12 – Establish an Information Security Policy
Any organization that handles cardholder data (CHD) must comply with the Payment Card Industry (PCI) Data Security Standards (DSS) to keep CHD safe from security threats. PCI DSS Requirement 12 mandates these organizations establish information security policies to oversee the implementation of security controls organization-wide.
In most cases, not all the individuals involved in collecting, processing, transmitting, or storing CHD are fully aware of the expectations for handling sensitive data. Any instances in which CHD is poorly handled increase the chances of it being compromised during a cyberattack, resulting in a data breach. However, PCI awareness training reduces the gap in information security implementation and helps your organization securely process CHD.
Let’s dive into the PCI awareness training requirements stipulated by DSS Requirement 12.6 and explain how they can help you safeguard CHD in the short and long term.
Developing a PCI Security Awareness Program
PCI awareness training reduces the information gaps that can contribute to security risks or limit the effectiveness of security controls. Ultimately, increasing awareness of PCI security across your organization is most effective when formalized into a PCI security awareness program.
The main goal of developing such a program is to educate all the personnel that handle CHD and sensitive authentication data (SAD) about their role in safeguarding these sensitive data.
In the absence of a formalized training program, even otherwise well-implemented security controls will not be as effective due to the potential for avoidable human errors and oversights.
Assess your PCI compliance
What Does it Take to Develop a PCI Security Awareness Program?
Building a robust PCI Awareness Program extends beyond developing PCI awareness training resources and passing this information on to the staff in your organization that process CHD or SAD. For personnel to take full responsibility for their actions and effectively implement security controls, they must be aware of their specific roles in keeping CHD safe from security threats.
Per PCI DSS Requirement 12.6.1, all personnel that handle CHD at any point during its processing or storage within your organization must be knowledgeable about the following:
- Potential threats to the sensitivity of CHD and SAD
- Responsibilities critical to implementing PCI security controls
- Sources of guidance to streamline PCI DSS compliance
For the PCI security awareness training to be considered effective, you must constantly evaluate whether the personnel handling CHD are becoming increasingly aware of potential security risks and threats to the CHD, as defined by your organization’s PCI security policy.
Keeping a PCI Security Awareness Training Program Up-to-Date
As the PCI threat landscape evolves and data security risks change, you must update a PCI awareness training program to reflect these changes. Considering the sensitivity of CHD and SAD, it is critical to address these risks before they become full-blown threats. As such, PCI DSS Requirement 12.6.2 recommends reviewing the effectiveness of a security awareness program at least once every 12 months to ensure its compliance with the PCI standards.
The PCI awareness training must also be updated to include counter defenses for any new threats or vulnerabilities your security team discovers as potential risks to CHD or SAD. Hence, the content of any PCI security awareness training exercise must be updated regularly to ensure your staff is following accurate guidance on how to mitigate threats to CHD and SAD.
What Threats Can PCI Security Awareness Training Mitigate?
When developing a PCI awareness training program, you must also account for threats and vulnerabilities to cardholder data environments (CDE). Typically, threats like social engineering (e.g., phishing) rely on human error and can be mitigated with PCI security awareness training.
A PCI-compliant security awareness training program can train your staff to:
- Identify signs of social engineering attacks early in their lifecycle
- Respond to suspected social engineering attacks by initiating appropriate protocols
- Report suspected social engineering activity before it spreads to other users
Compliance with PCI DSS Requirement 12.6 will help you develop a robust PCI security awareness training program that will mitigate rampant threats to CHD, such as social engineering attacks.
How to Implement PCI Awareness Training
Once you have established a PCI security awareness training program, you might be wondering how to keep employees trained on best practices for safeguarding sensitive CHD and SAD. Per DSS Requirement 12.6.3, here’s how you can implement a PCI awareness training program:
- Schedule routine training – Any staff that handles CHD or SAD should receive PCI security awareness training when they are hired and at least once every 12 months from the date of hire. You can also streamline routine training activities by:
- Including security awareness training in the employee onboarding experience
- Providing periodic refreshers to remind personnel about security best practices
- Enforcing training when employees transition to roles requiring access to CHD
- Communicate using various channels – Given that the detail of PCI awareness training may vary based on specific job roles or responsibilities, it is easier to organize training sessions via a range of communication channels such as:
- Web-based training for more hands-off roles that require basic knowledge
- In-person training for more hands-on roles where simulations may be necessary
- Team meetings to discuss technical aspects of security awareness
- Request acknowledgment of training – Your staff must also acknowledge that they attended a training session at least once every 12 months. A critical component of acknowledgment is for personnel to attest that they read and fully understand your PCI security policy and are well-equipped to perform their roles and responsibilities.
Ultimately, PCI awareness training should provide a starting point for your staff to access educational resources, ask for guidance or assistance, and keep CHD safe in the long term.
The PCI Security Standards Council does not currently offer free PCI awareness training for employees. However, there are discounted training packages, depending on the number of individuals that need training in your organization. However, a long-term strategy for investing in PCI compliance training is to partner with a PCI compliance specialist—like RSI Security.
Secure CHD with PCI Security Awareness Training
Working with a PCI compliance advisor will provide you with much-needed PCI awareness training to comply with DSS Requirement 12.6. Perhaps the biggest benefit of working with an experienced PCI compliance partner like RSI Security is that you can rely on our expertise for all elements of compliance—optimizing PCI DSS implementation, assessments, and more.
Contact RSI Security today to learn more and get started!