Your Guide to Training Needs PCI Compliance
I’ve performed a number of Payment Card Industry (PCI) assessments and know that some of the PCI Data Security Standard (DSS) audit requirements can be unclear. I’ll help by breaking down the requirements important to training your staff to meet your PCI Compliance goals.
Keep in mind that a checklist approach to training won’t solve your application security problems, so try not to look at PCI Training as a checklist item. Instead, use your budget wisely to address real security concerns within your enterprise. In this post, I’ll use the PCI Data Security Standard (DSS) v2.0 that you can download here. Use as your reference and I outline the important controls, along with a deep dive into describing what’s required.
[caption id=”attachment_752" align=”alignleft” width=”240"]
PCI-DSSv2 12.6 — Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
This is a major category and covers the Security Awareness portion of PCI-DSS. The idea is that your business is best protected when everyone that may touch cardholder data, understands the importance of managing that data. This isn’t only about developers concerned with database compromise. It’s also about the business owner responsible for building the new mobile payment app securely or the business analyst who comes across a printout of cardholder data only to throw it into the trash unaware of proper disposal.
Education is the first step, no matter what folks in industry may say about Security Awareness training. You should consider a context driven program to help people better understand the threats they may face on an everyday basis. I have yet to hear anyone say that they don’t care about their company and reputation, so this is about providing good awareness programs to educate them.
PCI-DSS (12.6.1) — Educate personnel upon hire and at least annually. (see below)
PCI-DSS (12.6.1.a) — Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web based training, meetings, and promotions).
Auditors will want to verify that your training program contains different media to help bring awareness over the course of the year. This could be through Security Awareness computer based training that’s always accessible, handouts or posters that around the office to warn against common threats (proper disposal, tailgating) or quarterly e-mails reminding teams about phishing attacks.
These are all just examples of what an auditor may look for but the idea is that your staff should be reminded over the course of the year through multiple forms of media, that they have a responsibility to the organization to be aware of cardholder threats.
PCI-DSS (12.6.1.b) — Verify that personnel attend awareness training upon hire and at least annually.
You must ensure that there is a process in place with HR that allows new employees to be trained on security awareness. Some organizations perform this training in person during employee orientation. Those with a more dynamic hiring process may choose to use a CBT Awareness course new hires will enroll in on their desktops. Either way, it is important to show that there is a process in place to ensure this happens.
In addition, it will be important to demonstrate that the program is taken by your teams on an annual basis. Ideally, the content within the Security Awareness course should be updated yearly to address the latest trends in security, for instance addressing concerns with the increasing use of smartphones and tablets in the office.
PCI-DSS (12.6.2) — Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.
If you are using a CBT to train staff, employees will need to complete the course and acknowledge that they understood the contents of course. This is often done by showing that the course was properly completed through Learning Management software. If you are performing awareness training in a class room, you may require students to sign off that they are aware of their responsibilities.
The auditor will likely want to see a record of this within the Learning Management software, or a paper record of a new hire awareness training.
PCI-DSS (6.5) Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following.
The objective is to ensure that developers are aware of common application security threats in web applications today. Vulnerabilities such as cross-site scripting and SQL Injection are commonly known in the security community but not always with developer communities. Hackers will target web applications and their databases in order to access cardholder data, so it’s important your developers can create code securely but even before that, understand the threats when it comes to building secure web applications.
The points within PCI-DSS will cover major weaknesses in web application development, but with regards to training, there is one control that is very important which is 6.5.a
PCI-DSS (6.5 a) Obtain and review software development processes. Verify that processes require training in secure coding techniques for developers, based on industry best practices and guidance.
This is written as a slightly vague control but the purpose is to allow some freedom as to the training you decide to purchase.
Most people including our Clients go with the OWASP Top 10 guide to address the Training area of this PCI control. The Online Web Application Security Project is a community that releases a list called the OWASP Top 10. Many developers have heard of this guide and it is based on the Top 10 web application security threats as seen by the community and industry experts. It is generally accepted as a very good guide as to what security vulnerabilities to look out for when developing web applications and how to defend against them.
Our most popular course (available free with some ads here) is based on the OWASP Top 10 and we recommend it to our clients because there is a large community and many conferences centered around OWASP. This can help developers better understand security as there are generally more resources available on the web.
Ensuring that your developers understand and develop code based on secure coding guidelines is key to protecting your web applications from hackers. This is a good opportunity to get a strong application security training program in place to address this control and to ensure developers have a good baseline understanding of web application security.
PCI-DSS (12.9.4) Verify through observation and review of policies that staff with responsibilities for security breach response are periodically trained.
This final control related to Training involves staff who are responsible for managing incident response. It ensures that they are properly trained on how your organization should handle the incident. I wouldn’t recommend outsourcing this training because incident response is very unique to each organization if you consider the chain of command and how each organization will handle their response.
Typically, the control will be related to the incident plan itself and ensuring that your staff are aware of what needs to be done in the case that an incident arises. Organizations may not actually see an incident regularly, but when they do run into one, staff should know immediately how to respond.
The controls listed above are the main PCI-DSS requirements as they relate to security training. Take this compliance opportunity to get build good training programs that deliver results to your organization. Don’t just do it to satisfy the auditors because these controls are there to help guard against a very real threat of cyber criminals.