Nothing is certain but death and taxes. And PCI DSS training. If your organization is PCI compliant, employee training is a necessary part of it. And most people look forward to PCI training with the same enthusiasm as taxes.
That said, there are good ways to train your organization on PCI DSS and bad ways to train them. PCI training shouldn’t be something you slap onto the end of your compliance engagement as an afterthought, because it will play a huge role in successfully maintaining compliance. And it will make a significant difference in proactive protection for the organization.
PCI training is vital, because the human element forms a critical part of the shield that protects your company. You need everyone to take security and compliance seriously, to be in the loop, and to understand what their roles and responsibilities are.
Do it well and PCI training will help establish a culture of compliance at your organization that becomes as natural as breathing.
Before You Start PCI Training
Your goal for PCI training is to get to the point where everyone takes security and compliance seriously, and it becomes a part of daily organizational life. Your employees don’t have to be PCI experts, they just need to know what it is and why it matters. And they should follow basic best practices.
Before you train your employees, make sure you’re in alignment with PCI in the first place. You need to know and understand the standard itself, but you also need to have policies and documentation in place as the basis for the training.
As you gain alignment with PCI DSS, you develop a number of elements and artifacts that are essentially the documented outcome of your efforts to compare your organization to PCI DSS. Those documents form the basis of a lot of the training that will take place. In particular:
- The overall information security policy
- Your acceptable use policy
- The incident response plan
- The business continuity/disaster recovery plan
Once you have these elements in place, you’ll have the source material you need for PCI training.
Who Needs to Be Trained in PCI DSS?
Everyone in your company needs to have PCI DSS training. Literally everybody — from the administrative assistant to the CEO to the people in HR and Sales. That includes full-time, part-time, interns, temporary staff, contracted employees, and any vendors that have access to your sensitive data.
(If vendors train their employees in PCI DSS, then that’s acceptable.)
Most of your employees simply need to understand the general obligations of general users. You can tackle that by providing three types of training:
Security Awareness Training (SAT). Security Awareness Training is a general overview of security and compliance rules and regulations for general personnel in your organization. Everyone needs to receive this training, at hire and annually.
Acceptable Use Policy (AUP). This training is often delivered to everyone in association with the SAT, at hire and annually. The AUP defines the acceptable use of technology in your organization. It lays the groundwork for the acceptable (and unacceptable) ways that your systems and devices should be used.
Security reminders. PCI requires you to issue periodic security reminders to your employees. There aren’t specific rules to follow, as long as you cover security and compliance topics that your personnel need to understand.
TCT issues a quarterly blog article and a quarterly podcast, which can serve as your security reminders. Each TCT reminder includes a specific best practice to follow, a tip on using TCT Portal, and a selection of recent security news stories.
TCT’s reminders are publicly available — you don’t have to be a client to take advantage of the quarterly security reminders. Feel free to distribute them to your staff and use them as your own reminders.
Specialized PCI DSS Training
Besides the general training for all personnel, some of your personnel will need specialized PCI training depending on their roles within the organization.
Incident Response Training. Anyone who is actively involved in incident response needs to go through a training exercise at least once per year. This is typically done internally, because it’s based on your company’s specific incident response plan. The training can be a tabletop exercise, or it could leverage the real world full exercising of the incident response plan during the existing compliance coverage period.
Secure Code Training. If your organization uses developers to do custom software development, they will need to complete Secure Code Training. This training is typically provided by external trainers, and there are dozens of places you can go to receive the training.
Every provider uses their own approach, so ask about the training styles and formats they use. Be sure to find a trainer who can address the general overview of secure coding (typically covering at least the OWASP top 10), as well as coverage of specific secure coding techniques of the specific coding languages that your programmers leverage for your systems.
TCT can provide secure code training, or make recommendations based on your organization’s needs.
Additional PCI Training, As Needed
Beyond the official training requirements of PCI DSS, there may be optional training that you want to consider. For example, we often see HR departments struggling with onboarding/offboarding and managing access control. Legal departments need to understand what compliance inclusions need to be added to vendor contracts and agreements.
In these kinds of cases, you need a trainer who has a depth of knowledge of both PCI DSS as well as your organization itself. A compliance Consultant is an ideal resource to equip your personnel for the ins and outs of PCI requirements as they relate to specific areas of the business.
I cannot underscore enough the importance of hiring a Consultant to help you navigate the waters of PCI DSS. A compliance Consultant can assist with identifying gaps and getting your organization initially in alignment with PCI, preparing for the annual assessment, and keeping you up to speed with ongoing operational compliance requirements.
Retrain for PCI DSS 4.0
Switching from PCI DSS 3.2.1 to 4.0? You’ll find that a lot of elements have changed in the transition. As you get PCI 4.0 in place (or at least have the GAPs and associated remediation identified), note these requirements and retrain your personnel as it relates to the modifications.
Don’t wait until the next scheduled training date — instead, provide the retraining as soon as you’re able to. Many of the changes in PCI 4.0 are significant enough that you need your employees to follow them as you make the transition. Keep in mind that the sooner the training, the smoother the transition.
Make PCI Training Enjoyable
You have a lot of flexibility in the way that you train your employees for PCI DSS. It doesn’t have to be a dry seminar led by a talking head. As long as you cover the material, you can do it however you want. For example…
- Take your people off-site to an upscale conference center or a retreat center.
- Include role playing or other active learning activities.
- Use multimedia presentations.
- Invent training games or compliance quiz competitions.
- Get your training catered.
The more engaging your training, the more successful you’ll be in creating a culture of compliance for your organization and to support your alignment with PCI DSS.
I can guarantee that your employees will never get excited about PCI DSS training. But you can build a training program that helps to keep your organization secure and compliant — while smoothing out the headaches as you attain and maintain your compliance program.