Why Most PCI Training Programs Are Ineffective… And What To Do About It

Posted on July 7, 2016 by lexi

It’s come round again, just like every year.

An automatic email ends up in your inbox, telling you it’s time to complete your annual information security training course.

So you follow the link and wind up in an online portal. You’re told to read through each page thoroughly and confirm your understanding.

Next. Next. Next. Agree. Time to forget about it for another year.

Sound familiar? It should.

This is how the vast majority of organizations treat their information security and PCI training. Is it any wonder that a new high profile breach seems to hit the headlines every other week?


Do This Or Else

I understand why organizations take this approach, I really do. Delivering annual training to a large cohort of employees is a difficult and potentially expensive thing to do.

But the thing is, breaches are really costly, both in terms of consumer trust and the hefty fines that are usually leveled. They’re also becoming increasingly common, and point of sale (PoS) devices in particular have been targeted frequently during the past 18 months.

But let’s take a step back.

Before we look at the details, what do you have to do in order for your training to be considered PCI DSS compliant?

Well, first of all, you have to develop a program to train your employees as soon as they’re hired and at least annually after that. Your program should include more than one means of communication (e.g. online courses, posters, meetings, etc.), and you must also keep a record to prove that all personnel have read and understood your information security policy. Finally, any personnel with responsibilities for security breach response should be trained periodically.

When you look at these requirements, it suddenly becomes clear why so many organizations turn the training process into an electronic box ticking exercise. After all, that seems to be the obvious way to structure a compliant training program.

There’s just one problem. Most security awareness training programs are highly ineffective.

Now I don’t want you to think we disagree with electronic training packages. Quite the opposite, they’re a great way to distribute and track user acceptance. The problem (usually) is simply that they’re used in isolation and with substandard training materials.


Do More Than You Have To

There’s one thing in particular I find strange about the PCI training requirements. On at least an annual basis, your personnel are required to read and confirm their understanding of your information security policy.

But policies aren’t written for personnel. They’re written to govern the design and maintenance of systems and processes.

Nevertheless, rules are rules, and you’re going to have to tick this one off… But please don’t stop there. In order to be effective, your PCI training program must go through the procedural side of payment card security.

Is this person processing card payments? Great, there are a whole host of good and bad practices they should know about. Are they back end technicians responsible for your payment systems? That’s fantastic, and they’ll need to follow secure coding guidelines that are changing all the time.

Security is a constantly changing landscape, and attackers constantly change their favored tactics and techniques. As a result of this, advice and procedures to minimize risk are also progressing at an enormous rate. If your training program looks the same year after year, you’re asking for trouble.

Ultimately, the most important elements to include are:

  • Best practices for the systems and procedures your personnel use
  • Why cardholder security is important and what happens when it goes wrong
  • The latest trends your personnel should be aware of (e.g. phishing and PoS attacks)
  • An opportunity for questions and feedback

And, of course, they’ll need to confirm they understand your security policy. Sorry, there’s no getting away from that.

Ultimately, the more interesting and actionable your PCI training program is, the more your personnel will get on board with it.

Box ticking exercises are viewed with contempt and boredom. Valuable training is (at least usually) met with some level of enthusiasm.


Getting It Done

However you decide to deliver your training, take the time and resources necessary to produce a truly valuable and current program that’s delivered over multiple channels.

Using an IT GRC platform is a good idea, as it will help you create, distribute, track and update your electronic training materials.

Our own platform, TraceCSO, includes ready-to-use templates for PCI compliance which are regularly updated and can easily be updated to include your own training materials. Not only does this make evidencing your compliance with PCI DSS requirements a much simpler task, it also frees up valuable resources to focus on content and complimentary training methods.

If you do go down the electronic delivery route (and I suggest you do) it’s vital to reinforce it with regular communications, in-person workshops, posters, or whatever else you feel will help to keep security in focus.  Make your training fun, and reward good security behavior in the workplace.

At the end of the day, if you can just make your personnel think about security as they go about their daily duties, most of the battle is already won.


Check out other posts in this series:

Post 1: PCI Compliance: What, Who, and How?

Post 2: How To Conduct a PCI DSS Risk Assessment (Even if You Have No Idea What You’re Doing)

Post 3: How To Manage Your PCI DSS Security Policy… And Why That Isn’t Enough



How can we help?

Discover how TraceSecurity's solution offerings can help your organization with PCI awareness training.

Schedule Now

Posted in IT Compliance and Regulatory Change Management, Security Awareness Training