The PCI Data Security Standards were recently updated to version 4.0. PCI DSS v4.0 was officially released on March 31st, 2022 and is replacing PCI DSS v3.2.1. This update to the PCI DSS is the first significant update to the security standards since 2018. Some evolving requirements include new or modified requirements added to the PCI DSS to ensure the standard is up to date with emerging threats and technologies as well as changes to the payment industry, related to the security awareness training requirements.
Some of these changes require that information specific to the security of the cardholder data environment (CDE) be included in the security awareness training, which wasn’t required previously. There is now a stronger emphasis on training employees on PCI, security of the CDE, and security around cardholder data. So will your current training meet these evolving requirements to keep you compliant?
(NOTE: If you’re considering an outsourced PCI Security Training solution, our free tool below matches you with top-rated consultants that suit your needs and budget.)
In PCI DSS v4.0 requirement 12.6 is designated for security awareness education. In total this section includes five sub-requirements. Out of the five sub-requirements three are brand-new requirements added to PCI DSS v4.0. The three new requirements cover the following:
- Annual Updates/Review: The first new requirement mandates that the security awareness program is reviewed annually and is updated as needed to address any new threats and vulnerabilities that may impact the security of the organization’s CDE. Additionally, the training needs to include information about the personnel’s role in protecting cardholder data. This information should be updated if the personnel’s role in protecting cardholder data changes.
- Threats to the CDE: The next new requirement adds that security awareness training must include awareness of threats and vulnerabilities that could directly impact the security of the CDE. This requirement mentions that phishing and related attacks plus social engineering should be included, among other threats and vulnerabilities that can affect the security of the CDE.
- Organizational Policies/Procedures: The last new requirement is that security awareness training now needs to include awareness about the acceptable use of end-user technologies. This should be done in accordance with requirement 12.2.1.
In summary, these new requirements make it mandatory that the security awareness training include information about the security of the CDE and the protection of cardholder data.
Isn’t Our Existing Security Training Enough?
Every organization goes about security awareness training differently. Some organizations’ security awareness training is more detailed than others. This means that some organizations may already include the information mentioned in the new requirements, while other organizations’ security awareness training may not be up to par.
As part of due diligence, every organization that is applicable to PCI DSS should review their security awareness training to verify their training meets the new requirements.
In a broader scope, it would be wise for all organizations applicable to PCI DSS to perform a gap analysis to ensure they align with PCI DSS v4.0.
In your gap analysis, you should include a QSA/PCI Professional review of your training content to ensure that the content checks each of the new training requirements.
What Exactly PCI Security Awareness Training Requires
In PCI DSS v4.0 requirement 12.6 is designated for security awareness education mentioning that training is an ongoing activity. As mentioned requirement 12.6 has a total of 5 sub-requirements. The requirements in 12.6 are listed below. Included below are relevant tips and recommendations. * Denotes a new requirement in v4.0.
12.6.1 – “A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.”
This requirement states that organizations must have a formal security awareness program. The security awareness program should be implemented in such a way that it makes all personnel aware of the organization’s policies and procedures as well as the personnel’s role in protecting cardholder data. It’s also important that organizations have a security awareness program and that it’s maintained properly.
12.6.2* – “The security awareness program is:
- Reviewed at least once every 12 months, and
- Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s CDE, or the information provided to personnel about their role in protecting cardholder data.”
The focus of this requirement is on revolving threats and vulnerabilities that may impact the security of the CDE as well as the personnel’s role in protecting cardholder data. A majority of organizations may already review their security awareness program annually. Organizations should use the expertise of an ISA or QSA in order to include specific updates about the CDE and cardholder data protections. (See our comparisons of PCI QSA companies here.)
Given how rapidly the technology and cybersecurity landscape changes, it is smart for organizations to review their security awareness program to include new threats to the security landscape. The best practice is to review your operations annually in order to make improvements on training for the following year. Your security awareness program, or new PCI Awareness Training, should be included in these reviews.
12.6.3 “Personnel receive security awareness training as follows:
- Upon hire and at least once every 12 months.
- Multiple methods of communication are used.
- Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures.”
As what’s current in 3.2.1, personnel should receive security awareness training upon hire and at a minimum at least once per year. Organizations may require certain employees (operational staff, non-technical staff, etc.) to take security awareness training more frequently to increase knowledge retention.
The next part of the requirement mandates that multiple methods of communication be used for disseminating the training. Some examples of methods include posters, letters, web-based training, in-person training, team meetings, and other types of incentives.
The final part of the requirement states that at least once per year personnel are required to acknowledge that they have read and understood the organization’s information security policies and procedures. Most if not all organizations should already be compliant with this requirement from 3.2.1.
While technically not part of the requirement the most challenging issue for organizations is enforcing and tracking that all employees take the security awareness training. An organization must track and enforce employee completion and acceptance of the training in order to be compliant. Organizations should designate time for employees to take the security awareness training as well as other training. Encouraging training time for employees will encourage employees to take training seriously.
220.127.116.11* – “Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including but not limited to:
- Phishing and related attacks.
- Social engineering.”
This requirement must include Phishing and other related attacks like various types of social engineering. If the threat affects your organization and CDE, it must be called out in the training. Some organizations may find this requirement to be the most difficult and abstract of the new security awareness training requirements to implement.
To achieve these requirements, more than likely organizations need to implement some custom training and information that specifically outlines how these threats affect them and their environments.
Since phishing and social engineering are the top forms of compromise in organizations, a majority of security awareness training probably already include content on these attacks. You must complement your training with this custom content. This can place a huge burden on organizations that might not have a team or specialized staff on hand to create this content.
The content in this training will be unique and vary from organization to organization. It would be beneficial for organizations to consult a PCI professional to verify that the custom content will achieve compliance with this requirement.
18.104.22.168* – “Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.”
12.2.1 “Acceptable use policies for end-user technologies are documented and implemented, including:
- Explicit approval by authorized parties.
- Acceptable uses of the technology.
- List of products approved by the company for employee use, including hardware and software”
This requirement references requirement 12.2.1, which is included above for reference. This new requirement is simple yet significant as it informs employees of the acceptable use of end-user technology. The utilization of employees using their own devices for work could potentially lead to a data breach since these devices can’t properly be managed by an organization.
While this new requirement may seem simple, it’s important that organizations update and maintain their AUP to prevent employees from inadvertently causing a data breach from personal devices. From an organizational side, technical enforcement should be put in place to prevent employees from being able to use personal devices to access sensitive data, like cardholder data.
As a tip, employees should never use personal devices or software for work unless given approval to do so.
How Can The Training be Implemented?
Your training approach may vary depending on the complexity, size, and available resources of your organization. Some organizations may opt to create their own security awareness training, while other organizations may use a 3rd party vendor for their security awareness training.
If an organization does decide to create its own security awareness training, it should verify that the person or team is qualified to do so. Get input from your PCI team or from your QSA. As you create your training, use the PCI DSS document following requirement 12.6 and the five sub-requirements to verify that the training criteria touch on all the points we mentioned in the requirements.
As a tip, an organization may want to get suggestions on content from employees to ensure that the training content is effective and engaging.
A training course in general is not valuable if employees don’t want to watch it. If possible an organization should get feedback from employees and make an effort to modify the content if deemed appropriate.
If an organization decides to get its security training from a third party it should perform research and due diligence on third-party vendors. Some areas organizations may want to review are price, quality of course, content of course, hosting of course (Learning Management System, LMS), course customization, vendor reviews, and qualifications of instructors among others.
A big area to consider with these new requirements is course customization. While a generic training course would probably be sufficient to comply with PCI, most organizations should look to add specific training points that directly relate to their organization. Some of these points can include points of contact and links to policies and procedures. Organizations should verify that the third-party vendor can accommodate this.
There are various factors to consider when reviewing third-party vendors. You must know what features are important to you and the organization and align each vendor to the list of features. Based on personal experience, organizations should not base their decision solely upon price. An organization should instead base its decision on the content and quality of the training course. A high price doesn’t necessarily mean the highest quality.
Ultimately, whichever approach an organization utilizes to comply with the security training requirements in PCI DSS v4.0 they should verify the implemented approach with whoever is performing their PCI DSS assessment. Whether the PCI DSS assessment is done by a qualified security assessor (QSA) or an internal security assessor (ISA) either one should be able to advise beforehand to validate that the approach meets PCI DSS requirements.
While being PCI DSS compliant is important, properly training employees on protecting the CDE and credit card data is one of your best lines of defense. Training shouldn’t just be a checkbox requirement for organizations, but something organizations take seriously and invest in.
Each employee plays a role in the security of an organization. In today’s world, there is an increase in cyber-attacks therefore it is important that employees have the proper security knowledge and training. Ensuring employees have the proper security knowledge and training can make a tremendous difference and possibly prevent an organization from suffering a security breach.
My Outsourced PCI SAT Solution
If you’re looking to invest in an outsourced PCI Security Awareness Training program that does check each requirement and satisfies all of the above-mentioned points, my company Maven X recently released this PCI 4.0 Awareness Training & Education course.
This training course was created by two ISAs who together have a combined 7 years of experience in the PCI industry. The course was specifically designed to comply with the new training requirements 12.6 in PCI DSS v4.0.
Maven X offers several different volume pricing options as well as two different deployment models to target the training to specific employee job types. In each deployment model, videos provide generalized information on PCI topics along with custom slides that are specific to the information in your organization. Maven X can either host the course for your organization through their LMS or host the course through your own corporate LMS.