PCI security council publishes security awareness guide

The PCI security council has published a guide to help organisations better educate employees on information security

The Payment Card Industry Security Standards Council (PCI SSC) has published a guide to help organisations better educate employees on information security.

Specifically, the guide aims to help organisations educate staff on protecting sensitive payment-card data, which is increasingly being targeted by cyber criminals.

The best practices guide was developed in response to breach reports continually highlighting the critical role employee security understanding and awareness plays in identifying, protecting against and mitigating data compromise.

The PCI SSC administers the Payment Card Industry’s Data Security Standard (PCI DSS).

PCI DSS compliance is necessary for any organisation that handles customer payment card data and specifies how that information must be held and protected.

Requirement 12.6 of the most recent version of the PCI DSS highlights the necessity for organisations to have a security awareness programme in place to educate personnel on the importance of protecting sensitive payment information and how to do so securely.

Developed by retailers, banks and technology providers of a PCI Special Interest Group (SIG), the guide is designed to help organisations of all sizes, budgets and industries to achieve this goal.

More on PCI DSS

  • Is meeting PCI DSS standards enough to protect customer data?
  • Mainframe security best practices for compliance with PCI DSS
  • Is PCI DSS compliance required?
  • Choosing PCI DSS-compliant service providers
  • Using metadata tagging tools for PCI DSS compliance
  • Updating network diagrams for PCI DSS 3.0 compliance
  • Is being PCI DSS-compliant enough to protect customer data?
  • PCI DSS 3.0 compliance is mandatory in 2015. Are you ready?
  • Is the PCI DSS a good guide for an application security program?
  • Open source PCI DSS: A strategy for cheaper, easier PCI compliance
  • How to meet PCI DSS requirement 6.6 and keep down costs
  • PCI analysis: Marcus Ranum on why PCI DSS sets the bar too low
  • Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive
  • PCI DSS compliance still too low, says Verizon
  • PCI 3.0 changes: A PCI compliance requirements checklist for 2015
  • Target breach details: Was the retailer PCI DSS compliant?

PCI SIGs are initiatives selected and developed by the PCI community that provide additional guidance and clarifications, or improvements, to the PCI standards and supporting programmes.

Recommendations for security awareness programmes

According to the PCI SSC, the guide provides detailed recommendations for developing, implementing and maintaining a security awareness programme that supports PCI DSS requirements.

The guide focuses on the key areas of assembling a security awareness team, developing appropriate security awareness content and creating a security awareness checklist.

The guide also includes a sample mapping of PCI DSS requirements to different roles, materials and metrics, for documenting how PCI DSS requirements could be incorporated into a training programme, as well as a checklist for recording how a security programme is being managed.

The Best Practices for Implementing a Security Awareness Programme guide is available for download on the PCI SSC website.

PCI SSC chief technology officer Troy Leach said businesses and employees are exposed to threats every day that can put sensitive information at risk – whether it be Poodle, Shellshock or the latest variant of malware.

“PCI Standards emphasise the importance of people, process and technology when it comes to protecting payment information.

“This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organisations,” he said.

Leach noted that as with all PCI SSC information supplements, the guidance provided in the most recent guide does not supersede or replace any PCI DSS requirements.

PCI DSS version 3.0

Merchants around the world who process payment card information are gearing up for version 3.0 of the PCI DSS, which becomes mandatory for PCI compliance from 1 January 2015.

PCI SSC European director Jeremy King said most merchants have had a look at the latest requirements since the release of version 3.0 and, with it becoming mandatory in January, they are now asking for clarifications.

As part of the clarification process, the PCI SSC has updated the guidance document for the self-assessment questionnaire that must be completed by all merchants applying for PCI DSS compliance certification, he told Computer Weekly.

“Version 3.0 puts a greater focus on trying to improve the security of third-party service providers, because it is in data transfers between merchants and third parties where we are seeing of lot of the compromises and breaches occurring,” said King.

“We now expect merchants to start looking to their third-party providers to be PCI DSS-compliant in their own right, or at least understand the requirements and have appropriate measures in place for securing the data that comes to them,” he said.

Increased focus on data segmentation

Version 3.0 of PCI DSS also puts more focus on data segmentation in response to data breach investigators finding that cardholder data is often scattered throughout databases.

“Version 3.0 requires more proof that cardholder data is restricted to the areas that merchants say it is, and that it is adequately protected,” said King.

“We plan to do much more thorough testing of network segmentations to ensure the exact whereabouts of all card data is known,” he added.

King believes merchants are now a lot more comfortable with the updated requirements and are ready to make the transition at the start of 2015.

“But we still need to focus on awareness – which is still not strong enough across all data security – and not just payment-card data security,” he said.

Read more on Privacy and data protection