The guidance will help merchants educate staff on protecting cardholder data.
The guidance will help merchants educate staff on protecting cardholder data.

New guidance from the PCI Security Standards Council (PCI SSC) has been released to help organizations educate their staff on cardholder data protection.

Published Thursday, the 25-page guidance (PDF), called “Best Practices for Implementing a Security Awareness Program,” focuses on three integral steps: assembling a security awareness team responsible for the lifecycle of the program; determining what security awareness content should be used in training employees; and establishing a checklist that facilities the monitoring or maintenance of the security awareness program.

A PCI Special Interest Group consisting of retailers, banks and technology providers developed the guidance, PCI SSC said in a release.

Included in the guidance are two appendices: “a sample mapping of PCI DSS Requirements to different roles, materials and metrics, for documenting how PCI DSS requirements could be incorporated into their training program frameworks, and a sample checklist for recording how a security program is being managed,” the release said.

The PCI Security Standards Council was founded in 2006 by payment card companies American Express, MasterCard, Visa, Discover and JCB International, and was tasked with educating merchants, and other involved parties handling cardholder data, on the PCI Data Security Standard (PCI DSS).

Of note, the new guidance provides a diagram (pg. 4) that helps merchants group staff according to their job function. The guidance distinguishes three roles – all personnel, specialized roles, and management – as well as their specific security awareness responsibilities.

Management, for instance, are expected to “understand the organization's security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues should they occur,” the guidance said.

Managers of employees with “privileged access” would, therefore, need a “solid understanding of the security requirements of their staff,” particularly employees able to access sensitive card data, the document added.

All personnel within an organization would need to undergo general security awareness training, the guidance continued, which would educate them on card security requirements for varying payment environments, like card present and card-not-present transactions or instances where card data is collected over the phone, by mail or online. Other general security training would include secure practices for working remotely, mobile device security, and defending against social engineering attacks that include phishing or spear phishing ruses, the guidance said.

“Whether it's, POODLE, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk,” Troy Leach, the CTO of PCI SSC, said in a statement. “PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information. This guidance can help businesses focus on the ‘people' part of the equation and build a greater culture of security awareness and vigilance across their organizations.”