Security Awareness Training Requirements of PCI DSS

By : admin In: Blog, Press Release July 8, 2015

Training Requirements of PCI DSS

Security awareness is one of the key drivers that led to PCI DSS 3.0.  In this article, we will learn about the requirements that are essential for organizations to fulfill this PCI DSS requirement.

What does PCI DSS say?

PCI DSS has clearly stated in requirement number 12.6 to “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security,” with guidance “if personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions”. PCI DSS also ensures that personnel should be educated about the security responsibilities and it should be taken in writing from them that they have completely that they have read and understood the security policies/procedures, and that they have made and will continue to make a commitment to comply  with these policies.  

Requirements for an Organizational Security Awareness Program

Security awareness is an important consideration that organizations should make in order to control the disclosure of information from the employees. Thus is it very important for organizations to develop and maintain a security awareness program to ensure that employees are aware of their responsibilities when it comes to protecting sensitive information. The security awareness program should be an ongoing practice to ensure that training and knowledge are not just delivered as an annual activity, but rather it is used to maintain a high level of security awareness on a daily basis. Below are the main ingredients of a Security Awareness Program:
  • Security Awareness Team: Every organization who is thinking of having a security awareness program must have a security awareness team. The responsibility of a team is to develop, deliver and maintain a security awareness program. Personnel for this team should be picked up from all the areas of an organization.
 
  • Segregation of roles and duties: Once a security awareness team is developed, each member should be trained so that they are aware of their responsibilities and duties. Once the roles are segregated, then appropriate training should be given to them. For example, personnel under a management role should be trained for their respective roles along with what is common for other personnel to be aware of.
 
  • Distribution of Training content based on roles: Once roles are segregated, then the training content is distributed to meet the high level of requirements of a particular compliance such as PCI-DSS.
 
  • Metrics: Metrics should be defined so as to measure the success of the security awareness program. Metrics will definitely vary on the type of industry. For example, some of the operational metrics will be :
    • Increase in reporting of security incidents
    • Vulnerability scans are active and detect high or critical vulnerabilities
    • Reduction in malware outbreaks and PC performance issues related to malware.
Similarly, training metrics will be:
  • Increase in number personnel completing training
  • Increase in personnel comprehension of training material.
 

PCI DSS requirement matrix for a Security Awareness Program

 
Req. No. Target Personnel of an Organization Content for Security Awareness Training
1.x Install and maintain a firewall configuration to protect cardholder data. Personnel of IT department Standards like ISO, NIST, etc.
1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network—e.g., laptops used by employees—and which are also used to access the network. All personnel Documentation on organization wide policy on usage of personnel firewalls.
2.x Do not use vendor-supplied defaults for system passwords and other security parameters. Personnel of IT department Best practices documentation from vendors
3.x Protect stored cardholder data. Personnel of IT department Industry standards like GLBA and SOX
3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. All personnel Industry standards like GLBA and SOX
4.x Encrypt transmission of cardholder data across open, public networks Personnel of IT department Best practices documentation from vendors
4.2  Never send unprotected PANs by end-user messaging technologies—for example, e-mail, instant messaging, chat, etc. All personnel Organization wide data retention  and key management policy
5.x Protect all systems against malware and regularly update anti-virus software or programs All personnel Organization wide antivirus and anti-malware policies
6.x Develop and maintain secure systems and applications Personnel of IT department PCI DSS, OWASP Top 10, CWE/SANS TOP 25 Most Dangerous Software Errors, NIST, COBIT 5 Appendix F, CIS Security Benchmarks.
6.4 Follow change control processes and procedures for all changes to system components. Personnel of IT department PCI DSS, OWASP Top 10, CWE/SANS TOP 25 Most Dangerous Software Errors, NIST, COBIT 5 Appendix F, CIS Security Benchmarks.
7.x Restrict access to cardholder data by business need to know Personnel of IT department  Vendor specific materials for authorization and authentication·         Organization wide access control policy
8.x Identify and authenticate access to system components Personnel of IT department Vendor specific password management, authentication etc policies·         Organization wide access control policy and password policy.
9.x Restrict physical access to cardholder data Personnel of IT department Organization wide physical security policy
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Merchants Organization wide physical access policy including visitor policies and access points.
10.x Track and monitor all access to network resources and cardholder data Personnel of IT department Standards like ISO, NIST, etc.
11.x Regularly test security systems and processes Personnel of IT department Common vulnerability frameworks including OWASP Top 10
12.x Maintain a policy that addresses information security for all personnel Personnel of IT department Standards like ISO, NIST, etc.·         Organization wide risk assessment process, information security policy.
12.2 Implement a risk-assessment process Personnel of IT department(management) Standards like ISO, NIST, etc.·         Organization wide risk assessment process, information security policy.
12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. All personnel Standards like ISO, NIST, etc.·         Organization wide risk assessment process, information security policy.
12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data Personnel of IT department(management) Standards like ISO, NIST, etc.·         Organization wide risk assessment process, information security policy.

Reference

  • PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf