PCI Issues Security Awareness GuidanceExperts Say More Focus on Employee Training is Needed
PCI leaders have for months stressed the need for merchants to implement more structured employee education programs around data security. Now the PCI Security Standards Council has outlined just how it expects businesses that handle card data to address employee education.
In a 28-page supplement to security awareness program best practices, the council reiterates that continuing employee education about how to detect and mitigate data security risks is a PCI compliance requirement. Still, too many organizations, as recent breaches like the Home Depot attack prove, do not dedicate enough time and resources to employee education, the council says.
Shirley Inscoe, a financial security analyst for consultancy Aite, says most merchants, retailers and restaurants, in particular, don't understand PCI-DSS requirements, including the need for employee security awareness.
"Issuing a more descriptive interpretation of what steps are recommended to achieve security should be helpful to many in the payments world," she says. "At the same time, it is important for the readers to understand that these are examples used for clarification purposes, and that this new document is not meant to be all-encompassing. Fraud schemes change too rapidly for any documentation to be relied upon to cover every potential scenario."
Reinforcing the importance of security and providing more detailed explanations, along with best practices, should certainly add value, Inscoe says.
Tom Wills, director of payments consuting firm Ontrack Advisory, says most information security programs make employee education a low priority.
"Awareness is a critical piece of any sound information security program, and organizations often prioritize awareness below technology controls, such as security hardware and software, seeing awareness as less important or ineffective," Wills says. "This is unfortunate. Information systems are set up and used by people; and since information systems are complex, human errors and omissions are a given. That becomes a natural source of vulnerabilities."
Having guidance about security awareness is good. Most IT security teams don't know how to do awareness programs well, Wills says.
"I'm sure some people will complain that the guidance is just another burden piled onto an already unmanageable workload," Will says. "But there needs to be room in every security program for awareness building."
PCI Requires Security Awareness
PCI-DSS requirement 12.6 specifically addresses security awareness and is a requirement that must be met for PCI compliance, the new guidance stresses. PCI-compliant organizations must have a security awareness program in place to educate personnel on the importance of protecting sensitive payment information, the council states.
Three key points noted in the guidance include:
- The need to assemble a security awareness team, which is responsible for the development, delivery and maintenance of the security awareness program;
- Why developing security awareness content for the business plays a critical role in developing appropriate content and training information; and
- How business can use security-awareness checklists to monitor and security awareness training programs.
The guidance's appendix also includes a detailed checklist with specific compliance recommendations for each of the PCI-DSS requirements included in version 3.0. While this guidance is directed at requirement 12.6, which deals with information security policies and awareness programs, it touches on a range of security best practices - a comprehensive take on PCI compliance that industry security experts agree is needed.
"The guidance is quite prescriptive, but it is also very current without being overreaching," says Al Pascual, director of fraud and security at Javelin Strategy & Research. While the guidance is detailed, it should be easy for merchants and others to follow, he says.
"Ultimately, whether or not the updated guidance will have a material impact on the security of a card-accepting business depends on the security posture of that business more than anything else," Pascual says.
Most businesses fall into one of three categories, he says: those that see PCI compliance as a baseline they strive to exceed; those that see meeting baseline PCI requirements as the goal; and those that view PCI as a needless burden.
"For businesses that see PCI as a burden, being compliant is a once-a-year exercise at most," Pascual says. "They will enjoy some benefit from the guidance, but odds are that they are likely going to be out-of-compliance most, if not all, of the time and are the most likely to be breached."