With 85% of data breaches involving “the human element”, it is no surprise that PCI DSS version 4.0 introduced additional requirements around staff training and awareness.
In DSS v4.0, organizations need to enforce a more formal security awareness program for their payment card merchants. The training program should address specific threats and vulnerabilities within the merchant environments (i.e. specific to how they are taking payments). For example, front-end cashiers should be aware of the risks surrounding skimming devices on card terminals and be cautious before allowing third-party support personnel access to devices or secure areas. If employees are at risk for phishing and exposing credentials or information that can lead to potential data compromise, the training should cover common phishing and social engineering attacks and where and how to report a suspected email attack.
Many organizations are now also operating hybrid environments and may have staff taking payments from home over the phone or on personal devices. Addressing risks surrounding mobile and remote offices will be critical. IBM’s Cost of a Data Breach Report 2022 revealed that when remote working was a factor in causing a breach, the costs were on average nearly $1 million greater than in breaches where remote environments were not a factor.
Training should address necessary security controls for remote work environments (i.e., can employees use personal devices? If employees are taking a payment over the phone, can a personal cell phone be used? Can they use VoIP clients like Jabber or other? Should they be writing down cardholder information on paper forms and bringing it back to the office to process?). Having hybrid or multiple payment environments opens up additional vulnerabilities and exposures to compromise.
DSS version 4.0 also requires training to review acceptable use of end-user technologies so employees should be receiving information on how they should be accessing and using workstations, laptops, mobile devices, etc., and understand the consequences for not adhering to acceptable use policies. Training should address not only appropriate usage, but also review what can happen if an employee does not follow policy. Many times, employees will find a work-around or sidestep policy to complete a task more quickly or help a customer, and may not realize how their actions can lead to non-compliance and/or data compromise.
Organizations are now required to review and update (as needed) the security awareness program at least annually. This requirement is a best practice until 31 March 2025, but we would recommend ensuring that your staff training has been reviewed so employees are receiving up-to-date information and understand their role in protecting the cardholder data environment. It is also important to update ongoing training so staff are engaged and do not view the training as a burden, but rather a tool to help them better perform their job responsibilities and protect customer information.
Review our recent article on what a comprehensive PCI training program should address and who should participate. As we look ahead to National Cybersecurity Awareness Month in October, your teams can also identify ways to continue to engage merchants and improve awareness with ongoing training opportunities, tools, lessons learned, and alerts.