Skip to main content

PCI Security Awareness Training Requirements | Optiv

May 19, 2014

Recent high profile data breaches have much of the country keeping a closer eye on their bank statements and wondering how such a thing could happen. The events have resonated throughout the entire industry and changes in the Payment Card Industry Data Security Standards (PCI DSS) are almost a sure thing.

In some cases, businesses see PCI compliance as just another industry buzzword or an opportunity for another hidden fee, but the reality is the security of PCI data is something important that you need to pay close attention.

Certainly a well-defined security policy is necessary. And your own quarterly audits can ensure your security posture hasn’t changed. But one often overlooked or misunderstood aspect of PCI requirements is training.

The following table outlines where training is identified in the latest version of the PCI DSS.

6.5

Address common coding vulnerabilities in software-development processes as follows:

  • Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.

9.9.3

Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:

  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
  • Be aware of suspicious behavior around devices.
  • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel.

12.6

Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

12.6.1

Educate personnel upon hire and at least annually.

12.6.2

Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.

12.1.4

Provide appropriate training to staff with security breach response responsibilities.

Related Blogs

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

March 07, 2018

PCI Compliance Every Day – Requirement 4

In this latest post of my Payment Card Industry Data Security Standard (PCI DSS) compliance blog series, we will explore Requirement 4 of the standard...

See Details

April 14, 2015

Adding Context to Policy

When defining policy in security tools there are often two primary camps individuals fall into; false positive or false negative based policy creation...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.