Security awareness is one of the key drivers that led to PCI DSS 3.0. In this article, we will learn about the requirements that are essential for organizations to fulfill this PCI DSS requirement.
PCI DSS has clearly stated in requirement number 12.6 to “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security,” with guidance “if the personnel is not educated about their security responsibilities, security safeguards, and processes that have been implemented may become ineffective through errors or intentional actions”. PCI DSS also ensures that personnel should be educated about the security responsibilities and it should be taken in writing from them that they have completed that they have read and understood the security policies/procedures and that they have made and will continue to make a commitment to comply with these policies.
Security awareness is an important consideration that organizations should make in order to control the disclosure of information from employees. Thus is it very important for organizations to develop and maintain a security awareness program to ensure that employees are aware of their responsibilities when it comes to protecting sensitive information? The security awareness program should be an ongoing practice to ensure that training and knowledge are not just delivered as an annual activity, but rather it is used to maintain a high level of security awareness on a daily basis. Below are the main ingredients of a Security Awareness Program:
Similarly, training metrics will be:
| Req. No. | Target Personnel of an Organization | Content for Security Awareness Training |
| 1.x Install and maintain a firewall configuration to protect cardholder data. | Personnel of IT department | Standards like ISO, NIST, etc. |
| 1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network—e.g., laptops used by employees—and which are also used to access the network. | All personnel | Documentation on organization-wide policy on usage of personnel firewalls. |
| 2.x Do not use vendor-supplied defaults for system passwords and other security parameters. | Personnel of IT department | Best practices documentation from vendors |
| 3.x Protect stored cardholder data. | Personnel of IT department | Industry standards like GLBA and SOX |
| 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. | All personnel | Industry standards like GLBA and SOX |
| 4.x Encrypt transmission of cardholder data across open, public networks | Personnel of IT department | Best practices documentation from vendors |
| 4.2 Never send unprotected PANs by end-user messaging technologies—for example, e-mail, instant messaging, chat, etc. | All personnel | Organization-wide data retention and key management policy |
| 5.x Protect all systems against malware and regularly update anti-virus software or programs | All personnel | Organization-wide antivirus and anti-malware policies |
| 6.x Develop and maintain secure systems and applications | Personnel of IT department | PCI DSS, OWASP Top 10, CWE/SANS TOP 25 Most Dangerous Software Errors, NIST, COBIT 5 Appendix F, CIS Security Benchmarks. |
| 6.4 Follow change control processes and procedures for all changes to system components. | Personnel of IT department | PCI DSS, OWASP Top 10, CWE/SANS TOP 25 Most Dangerous Software Errors, NIST, COBIT 5 Appendix F, CIS Security Benchmarks. |
| 7.x Restrict access to cardholder data by business need to know | Personnel of IT department | Vendor-specific materials for authorization and authentication· Organization-wide access control policy |
| 8.x Identify and authenticate access to system components | Personnel of IT department | Vendor-specific password management, authentication, etc policies· Organization-wide access control policy and password policy. |
| 9.x Restrict physical access to cardholder data | Personnel of IT department | Organization-wide physical security policy |
| 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. | Merchants | Organization-wide physical access policy including visitor policies and access points. |
| 10.x Track and monitor all access to network resources and cardholder data | Personnel of IT department | Standards like ISO, NIST, etc. |
| 11.x Regularly test security systems and processes | Personnel of IT department | Common vulnerability frameworks including OWASP Top 10 |
| 12.x Maintain a policy that addresses information security for all personnel | Personnel of IT department | Standards like ISO, NIST, etc.· Organization-wide risk assessment process, information security policy. |
| 12.2 Implement a risk-assessment process | Personnel of IT department(management) | Standards like ISO, NIST, etc.· Organization-wide risk assessment process, information security policy. |
| 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. | All personnel | Standards like ISO, NIST, etc.· Organization-wide risk assessment process, information security policy. |
| 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data | Personnel of IT department(management) | Standards like ISO, NIST, etc.· Organization-wide risk assessment process, information security policy. |