Employee information awareness training: PCI policy templates

To comply with PCI DSS -- and keep cardholder data secure -- organisations must train their employees on data handling best practices. This tip explains how.

eye on PCI DSS

The following PCI policy templates are aimed at providing PCI DSS program managers and CSOs with tips to conduct informative, time-efficient and cost-effective information awareness training programs to comply with PCI DSS requirements and provide staff with security skills.

1. There are three standards related to credit card security, not just one.
The Payment Card Industry Data Security Standard (PCI DSS) is one of three security standards managed by the Payment Card Industry Standards Security Council. PCI DSS covers requirements that acquiring banks, payment service providers, and gateways and merchants must comply with. The Payment Application Data Security Standard, or PA-DSS, covers requirements that software vendors producing commercial payment applications must comply with. These applications include ecommerce payment products and payment applications installed on point-of-sale (POS) or electronic POS (EPOS) devices. PCI PIN Transaction Security (PCI PTS) covers security for all personal identification number (PIN) terminals, including POS devices, encryption of PIN pads and unattended payment s, such as those at car park or train kiosks, where there is no person-to-person interaction .

2. Understand the Structure of PCI DSS and associated standards
PCI DSS has 12 high-level requirements including more than 200 controls categorized into three areas: technical solutions and settings, policies and procedures, and training. PA-DSS has 13 high-level requirements using a similar structure. PTS is a suite of modules-based controls.

PCI DSS is validated either through a self-assessment questionnaire or through an annual on-site audit performed by a Qualified Security Assessor (QSA), depending upon the number of transactions your organisation processes per year .

3. So which requirements cover training in the PCI standards suite?
PCI DSS requirement 12.6 covers in-scope staff security training: "Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security." It has two sub requirements. 12.6.1: "Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data" and 12.6.2: "Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures." This applies to all staff members who have physical or logical access to credit cardholder data (CHD) regardless of whether they use that privilege.

Thus, in theory, any person working on computer systems that contain credit cardholder data must be trained, even if he or she never accesses payment application software. Any person working at a cashier or in a call center environment where CHD may be provided by customers is in scope for such training. By extension of this, all technical staff managing call-recording systems, which may contain CHD (even if encrypted according to rules of PCI DSS), are also in scope for such training.

PCI DSS requirement 6.5.a also includes secure coding requirements for developers of in-house non-commercially sold payment applications. "Obtain and review software development processes. Verify that processes require training in secure coding techniques for developers, based on industry best practices and guidance." Further references to training on specific procedures or technical training are spread throughout the standard. For instance, control 12.9.4 mandates that entities "provide appropriate training to staff with security breach response responsibilities."

In any event, commitment to complying with the standard must come from top management and filter down to all staff. Therefore, program managers, their teams and C-level team members must receive appropriate best practice security training covering physical security, personnel security, data security, IT security and crisis management.

- PA-DSS dedicates a full high-level requirement to training. Requirement 13: "Maintain instructional documentation and training programs for customers, resellers and integrators." This requires payment application vendors to provide training programs to end users and distribution channels.

- PTS does not have any explicit requirement for training, but implies training is provided to administrators and users of devices covered by the standard.

4. What should PCI DSS training for in-scope staff cover?

It should cover the following items:

- Structure of PCI DSS

  • PCI DSS is one of three interlinked payment data security standards, namely PA-DSS, PTS and PCI DSS

- PCI DSS has 12 high-level requirements structured in six control groups

- Information held on credit cards – PAN, CVV2, exp date, holder details

  • Your training program should clearly explain the information that's on credit cards, which of that information is sensitive, and how it can be handled according to PCI DSS, especially requirement 3.4

- Actors of credit card payments chain and how credit card transactions work

  • Staff needs to understand the lifecycle of a credit card transaction, from the point-of-sale device or virtual terminal, to the payment gateway, to banks and back. It is crucial to understand that all actors within the payments ecosystem have to be in compliance, and that credit cardholder data is safe at all stages of the transaction.

- Overview of key controls

  • PCI DSS includes a mix of requirements for policies and procedures, technical settings and solutions, as well as requirements for awareness training.
  • All controls are aimed at protecting cardholder data and ensuring that all transactions, and all activity within the cardholder environment, is traceable.

- Do's and don'ts of CHD handling

  • Credit cardholder data is sensitive. Full stop. Staff should not communicate it for any other purpose than the payment it is being shared for.
  • Paper-based payments, including credit cardholder data, are also protected under PCI DSS: Data needs to be protected, stored securely and disposed of securely.

- How to report an incident

  • PCI DSS is meant to be pro-active, to allow staff to take corrective action should anything go wrong, e.g. Implementing an Incident response plan that helps employees identify potential incidents, and understand what steps to follow in the event of potential credit cardholder data breaches.

All of the above information helps in-scope employees mitigate the most common physical, logical and social engineering-based attacks on CHD.

5. What should secure coding training cover as regards to PCI DSS?
Ideally, developers should learn about the software development lifecycle, best practice software security, OWASP top 10 and the SANS top 25. The ultimate aim is to ensure payment application security becomes part of the DNA of your organization to protect customers' CHD.

6. Small print and other tips for PCI DSS training strategies
If you are validating compliance using a self-assessment questionnaire, ensure you can demonstrate compliance with all requirements, including 12.6, 6.5.a and 12.9.4. If assessed by a QSA, then note that staff may be interviewed and training attendance sheets signed by staff may be requested. Training materials should be made available to assessors for both standard and secure coding training.

The best, most cost-effective way to provide training is via e-learning . Since e-learning is typically cloud-based, it requires almost no maintenance from the organisation's side. This allows PCI program managers to easily disseminate security information, forces staff to read and acknowledge security policies and procedures, and test that staff understands CHD security best practice. Furthermore, staff can take the training on their own time, in several chunks. Given that training is required annually, e-learning also allows organisations to continually train and retrain users in a verifiable way accepted by QSAs. Online tests are likely to be mandatory with 24 months.

About the author:
Mathieu Gorge is the CEO and founder of VigiTrust. He specializes in PCI DSS, HIPAA & ISO 27001 and speaks regularly at international security conferences.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management