Requirement 12.6 of the Payment Card Industry Data Security Standard (PCI DSS) mandates the implementation of a formal security awareness program, as well as a requirement to provide and verify PCI security awareness training for staff, including new hires, at least annually.
As explained by the PCI Council (PCI SSC), Requirement 12.6 is important because “if personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions.”
What is not explained within the DSS is exactly what the awareness training program is required to cover.
So, what should your organization’s PCI Training program cover?
Because payment cards are accepted in many different ways, a comprehensive PCI Training Program should include guidance for protecting data both in electronic and non-electronic (paper) form, and review approved handling procedures for each payment method in use within your organization:
- Card present
- Card not present
- Phone
- Fax
- Online/ecommerce
Your users also need to understand what exactly they are protecting and why ensuring the data security is important. Your training program should clearly explain:
- The sensitive information on payment cards
- How that data should (and shouldn’t) be handled according to the PCI DSS
- Impact of unauthorized access
- Consequences of non-compliance/possible compromises of cardholder data
Using real-world examples, lessons learned, and scenarios that are familiar to your staff can be helpful in getting this information across.
With the majority of fraud now moving online, it is critical to train them on cybersecurity best practices including:
- Password security
- Email security
- Safe Internet use
- Staying safe on social media
- Device management
- Secure practices for working from home/remotely
And, for those cashiers or others that are processing payment cards in their daily roles, there needs to be clearly defined policies and procedures that dictate that payment cards are only processed on devices or systems designated strictly for that purpose. Explain within the training:
- Why general purpose workstations/computers should not be used for processing payments. For example, if a customer calls and asks a staff member to process a transaction on their behalf, employees should understand if and how they can assist without creating additional risk or non-compliance.
- The risks of mobile payment devices/dongles and organizational requirements for utilizing compliant devices.
Requirement 9.9 of the DSS also includes requirements for training, specifically regarding training personnel to be aware of attempted tampering or replacement of payment card devices. If possible, include the following in your training program:
- How to properly perform device inspections;
- Instructions for evaluating point-of-sale (POS) devices for tampering before use and the required frequency for their areas;
- How to identify suspicious behavior, especially in areas where the public has access to payment terminals; and
- Directions to always verify the identity of third-parties claiming to be repair or vendor personnel.
It can be helpful to work backwards from a data breach and think how a compromise could have been prevented or how the potential impact could have been reduced. By doing so, you are better able to define the training topics that your staff can benefit from.
How did the breach occur? Did it stem from a phishing or social engineering attack? Was an unauthorized visitor allowed access to systems or payment card terminals? Did a staff member fail to shred paper documents with card information on them? All of these scenarios are possible and they should all be addressed within your training:
- Guidance on how to prevent social engineering like phishing, vishing, tailgating, etc.
- Physical security guidelines for visitor management, locked storage facilities, etc.
- Proper data storage and data destruction
Taking this train of thought one step further, we can see that all staff need to know what to do if a breach occurs:
- How to identify and where/how to report an incident
- What steps to follow in the event of a suspected compromise or breach
Most importantly, a training program should educate merchants on your organization’s internal procedures and emphasize that any changes in payment card activities, requests for new devices or applications, etc. must be reviewed by the appropriate IT teams, PCI team, etc. If merchants also understand your organization’s requirements around third-parties (and the associated risks), they will be more vigilant when reviewing possible vendors and diligent about moving through the appropriate approval channels.
Who should complete PCI training?
Employees will always be the largest risk to security, either through their actions or inactions. All staff, including full-time and part-time employees, contractors, students, cashiers, etc. that handle or have access to the cardholder data environment should be trained on the importance of securing cardholder data. Requirement 12.6 of the DSS requires personnel to acknowledge they have read and understand the information security policy and agree to comply with it. Including the payment card and information security policies as part of the annual training requirements is a good way to ensure staff are meeting both requirements and understand their individual responsibilities.
It is also important to ensure training is relevant to employees’ daily roles. IT Staff, like system, database, and/or network administrators and other staff with privileged access to the back-end systems that are storing, processing, or transmitting CHD may not be interested in general training that talks about how cards should be processed. Rather, those identified staff should be provided technical training that includes the importance of secure system configurations and outlines the technical controls from the PCI DSS.
PCI training is required for staff involved in the payment card process at hire, and annually thereafter. However, organizations should take advantage of other opportunities to educate merchants throughout the year by sharing information security best practices, sending out reminders on secure payment processing activities, and scheduling check-ins with merchant areas to help answer any questions, provide alternative solutions, and verify compliant practices on an ongoing basis.
If your organization has any questions regarding the training requirements for your merchant staff, please don’t hesitate to reach out to us. You may also want to check out CampusGuard’s recently released PCI course bundle that includes role-based courses for Merchants, IT, and Executive-level staff. CampusGuard’s online training is available on our hosted platform or as SCORM training files for upload to your organization’s internal LMS.
Some additional guidance from CampusGuard’s Customer Relationship Management Team:
[Johnson]: It can be difficult to keep up with changing compliance requirements, ensure all staff are able to access up to date training, and build on their understanding of the importance of security awareness. Just this year, we have seen updates to CMMC, GLBA, and now the PCI DSS version 4.0 update is on the horizon. Although the final requirements from v4.0 will not be released until Q1 of 2022, the proposed drafts have included additions to training requirements for end users, including more emphasis on best practices to help prevent phishing and social engineering. As risks and threats continue to evolve it is critical that your training programs are adapting as well.