Employee awareness of common security threats is a crucial line of defence when protecting your organisation from attacks. Within the retail sector, this is especially important as any security compromise could expose the payment details of thousands of customers.
For this reason, it is essential that retailers have a solid PCI DSS employee training programme in place that ensures employees know what best practice to follow to help prevent data leaks or cyber-attacks. But what should your training program look like? In this blog, we’ll try to shed some light on this and give some practical tips on how to approach this requirement.
What are the official PCI DSS awareness requirements?
On the face of it, the PCI DSS requirements with regards to user awareness are quite simplistic. Requirement twelve (12.6) states that employees must be educated upon hire and on an annual basis thereafter, and it must be demonstrated, recorded and audited that the training was completed. What the standard doesn’t give us is a detailed statement describing what that training should entail.
The published guidance states:
“If personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions.”
General awareness training cover topics such as phishing, malware, and good password practices, which is of course important. However, the requirement for awareness extends well beyond this generalised ‘cyber hygiene’ information. In order for retailers to protect their customers’ payment data, it is important to ensure your “front line” employees are well educated about the specific threats they might face, how to spot them and crucially, how to respond in the event of an incident.
What should retail PCI DSS awareness training cover?
To get the best return on investment in training your teams, PCI DSS awareness training should be tailored to the individual’s role, and how they will interact with payment card data. A QSA does not expect your employees to be capable of reciting PCI DSS requirements verbatim, nor would we expect a perfect recital of the wording used in your policies and procedures.
For more specialist roles, such as those people tasked with managing infrastructure, clearly more detailed and specific knowledge is expected. For those that work in retail, taking card payments is only a small part of their role. What your QSA expects is for these employees to demonstrate an awareness of how to protect the payment card data they come into contact with on a day-to-day basis, as well as a general understanding of cybersecurity.
The PCI DSS specific knowledge that you need to cover in employee training for retail roles can be quite limited. It will vary depending on whether the employee works in a face-to-face (card present) setting, E-Commerce, or in a contact centre handling phone payments.
Employees in all three settings should be aware of what payment card data is, and why it must be protected at all times whether holding, storing or processing the cardholder data. They should also understand common threats, such as skimming devices, phishing, fraudulent phone calls, and malicious emails. The advantages of educating around these threats is that it can make the training more relevant, exciting and relatable to the regulation and policy directives.
7 topics your PCI DSS retail employee training should cover
- The basics: What is payment card data (and what isn’t), and why it’s important to protect it
- Physical security: How to manage physical security of payment card data by protecting payment devices, associated systems and physically stored data.
- The bad guys: Who’s trying to steal your payment card data, how do they do this and where/when it has happened?
- What to look for: What are the ‘tell-tale’ signs in identifying attempts to breach payment card data.
- What to do: How to prevent attempts to breach payment card data, and the process for reporting and escalating suspicious events and behaviours.
- Call centre security: Your process and good practices for telephone (card not present) payments.
- General awareness: Cybersecurity awareness, commonly encountered scams and techniques, how to protect yourself and use the internet on your devices safely at work and at home
How to implement PCI DSS awareness training in retail
Front line staff in retail settings, be it face-to-face, telephone, or even E-Commerce, are your eyes and ears when it comes to detecting and responding to events that may lead to a breach in payment card data. These data breaches are getting ever more creative and nuanced, so it’s good to have an open dialogue with your staff.
If your training programme is focussed purely on achieving PCI compliance in retail, then chances are you’re not realising the full benefit of your investment in the training process, both financially and in terms of the time and resources allocated to this.
Businesses that focus on education for education’s sake can create a proactive culture in which their employees are genuinely engaged with cybersecurity, with the added benefit of maintaining compliance with a whole host of PCI compliance regimes and standards for retail, including but not limited to PCI DSS.
Investing in effective and relevant awareness training is therefore crucial to help protect your organisation’s reputation, finances, employees, and of course your customers.
For more information on how to implement PCI DSS awareness training within your organisation, don’t hesitate to reach out to our LRQA team.