The Payment Card Industry Security Standards Council (PCI SSC) which was formed in the year 2004 for the sole purpose of addressing these risks associated with data security, has set a standard to be followed by organizations that deal with sensitive data or otherwise known as authentication information. The PCI DSS strives to protect sensitive data, but a recent survey suggests that most PCI DSS compliant organizations are viewing this standard as a certification process rather than as an opportunity to improve their resilience. In order to emphasize the importance of the PCI DSS standard and to gain a wholesome perspective, PCI awareness training is required in every organization.
Let us look into the “Who, Why What and How?” of PCI awareness training.
Who must take the PCI awareness training?
The PCI awareness training is aimed at the employees of any organization in the payment card industry, but it can be taken by anyone who would be interested in learning about the payment card industry or any organization which must stay compliant with the PCI DSS standard.
The 12.6 of PCI DSS standards states that it is mandatory for an organization that obtains, processes, and retains payment card data to provide annual training for its staff members.
Why does an organization need PCI awareness training?
Let us take a look at the benefits of undergoing PCI awareness training:
- We are already aware of how being PCI certified can provide a deep understanding of compliance. A PCI awareness training provides important insights way before the organization actually undergoes the assessment and certification process.
- Through such extended insights, the employees of the organization can gain an understanding of better operational efficiency, aiding in cost management and asset management.
- Access to know best practices across the industry in advance.
- Eases in driving compliance and efficiency across the business organization.
What is PCI DSS Standard 12.6?
The PCI DSS 12.6 consists of a Security Awareness Program and Employee Training Requirements. It requires the organization to set up a formal security awareness program to ensure that all the employees are aware of the significance of data security. Below are the requirements of 12.6 PCI DSS :
- 12.6.1 - Provide data security training for the employees at least annually.
- 12.6.1.a - Arrange training through various modes and multiple methods like corporate mailers, web module-based training, training meetings, etc.
- 12.6.1.b - Ensure that all the employees attend the training arranged twice, once during onboarding and regularly on an annual basis.
- 12.6.2 - Take confirmation and acknowledgment from all the staff members that the security policies and guidelines have been communicated and understood by them.
Additionally, the PCI DSS 12.6 also suggests that the training conducted demonstrates the below points :
- The effect of compliance of PCI DSS and the training requirements are fulfilled annually.
- To keep implementing better understanding amongst the employees through training to ensure card data is constantly being protected.
- Make sure that all the staff knows the requirements, roles, and procedures as given by PCI DSS.
- Ensure that the training provided includes awareness about the financial implications caused by data breaches.
- Security updates received every month are being communicated in a timely manner through security mailers and tips.
- The training material includes important documents and policies which have company-specific guidelines on cyber security.
How to implement PCI awareness training?
While implementing a PCI awareness training program, it is to be given utmost importance as it can prove to be a make or break of an organization’s network and cyber governance. The most important task is to decide on a security awareness team as the PCI council has stated that a security awareness team will be responsible for "the development, delivery, and maintenance of the security awareness program". One quick tip while taking the first and foremost step of determining a security awareness team is to choose people from a different team with different responsibilities as that way the inputs provided will be diverse and various needs of different teams will be taken care of. Once a security awareness team is determined, roles must be determined within the team.
Below are a few important things to consider while arranging a PCI awareness training :
- Primary emphasis must be given to internal security. When internal security is emphasized, the best practices are demonstrated in a well-defined manner, and this aids while tackling the external threats.
- Every team in the organization must be given equal awareness about the threats, vulnerabilities present within the organization so that every employee maintains the same state of mind towards cyber risk while at work.
- The prerequisite to a good training program is well-prepared process guidelines and process documents. Compliance with security standards, certifications, existing threat levels need to be analyzed and reported. Important reports and documents need to be easily and readily available for illustrating the importance of cyber risk within the organization to the employees.
- The arranged training sessions must be in a timely manner as vulnerabilities are constantly evolving in nature. Planning the training sessions in regular intervals and in accordance with the organization’s important milestones is important. Timing is key when it comes to training.
- From the very first day of training, make sure that employees take initiative from their end voluntarily to protect the data security of the organization. Cyber risk security tips and awareness must be included in the day-to-day activities of the employees.
- Holding monthly awareness campaigns with a monthly theme is a good way to implement training without affecting day-to-day productivity. Cyber risk themes like password protection, social network security, etc. can be chosen as a monthly topic for special features.
- Sending reminder emails with cyber security tips is also an efficient way of implementing cyber security amongst employees. Email newsletters can be sent if any new guidelines are implemented.
- Intranet portals must be actively used to access the important reports and documents used during the annual training sessions. This way, employees will always have sufficient access to cyber security guidelines.