How to Rethink PCI DSS Training to Mitigate Breach Costs

3,046,456 everyday, 126,936 every hour, 2,116 every minute. These figures represent the number of lost or stolen data records in 2016. Find out why and how your data protection strategy should include PCI DSS security and awareness training.

According to the Gemalto report, It’s All About Identity Breach Level Index, 974 breach incidents were reported, and more than 5.5 million records were compromised in 2016 alone. In the financial industry, denial of service (DoS), man-in-the-middle attacks, malware, EMV payment attacks, social engineering attacks, and similar security issues present real and present threats to valuable financial information. However, when employees across the organization understand the risks and warning signs of an attack, they can serve as the first line of defense in cybercriminal activities and help reduce both costs and damages from a data breach.

Understand & Keep Up With Payment Card Industry Data Security Standards (PCI DSS)

Every organization that stores or transmits payment card information must adhere to the guidelines set by the Payment Card Industry Security Standards Council to protect cardholder data. In PCI DSS 3.2. Requirement 12 of the guidelines instructs institutions to create and maintain a comprehensive information security policy for all employees. Requirement 12.6 specifically discusses the need for security awareness education. Several other requirements (7 and 9) refer to employee best practices via access control measures.

To fully comply with the regulation, companies need more than a policy that gathers dust at the back of an employee handbook; they require a living document outlining practices and policies that are current with new releases. Best practices include:

• Requirements 12.4 and 12.5, stipulate organizations must assign clearly outlined security responsibilities to all stakeholders—including contractors working for the institution—protocols for security documentation, monitoring, incident response, access control, and analysis.
• Requirement 12.6, provides security training for all new employees and a minimum of once a year security refreshers for existing employees. Personnel must also undergo evaluations to gauge security awareness understanding and must sign a statement of acknowledgment that understanding.

While simple on paper, adhering to PCI DSS regulations for employee awareness requires an ongoing commitment to education—especially because the nuances of the regulations are regularly updated and improved upon.

For instance, updates were published to the PCI DSS Self-Assessment Questionnaires (SAQs) – PCI DSS SAQ Rev. 1.1. in January 2017 in order to clarify the 3.2 requirements released in 2016. These changes address technical controls, including two-factor authentication for administrative access and segmentation controls on network connected devices—two very important components of a comprehensive security strategy.

Empower Employees with Proper Training

To justify training expenses, build a business case against around the costs of not satisfying security and compliance controls. In a study of cyber incident response by the Ponemon Institute, researchers found that only 20% of IT security professionals regularly communicated with management about threats. The lack of awareness by executives makes it difficult to secure funding and support for security measures and company-wide training.

In addition to maintaining compliance with PCI DSS requirements, employee training helps reduce data breach costs. The average cost of a data breach in 2016 was approximately $156 per record or a total of $3.9 million per breach. In an IBM study of 601 data security training professionals, 66% cited employees as the most significant security vulnerability. Employees click on unverified links in emails, miss common performance red flags, and fail to secure their devices with strong passwords (if password protected at all).

Consider each individual with access to sensitive information as a vulnerable endpoint. Every trained person represents better prevention and breach containment practices. To help organizations eliminate internal risks, the Payment Card Industry Security Standards Council, the organization responsible for the creation and maintenance of standards, offers a compliance training course. In the course, employees can learn:

• More about the role of PCI DSS requirements in protecting payment organizations from data breaches.
• Specific roles associated with compliance, including what the Internal Security Assessor and Qualified Security Assessor do to promote data security.
• An overview of all 12 standards and what compliance looks like in a real-world setting.
• PCI DSS compliant infrastructure that allows for secure credit card payments and secure communication with payment facilities.

To take ownership of data security, employees may need more than a list of password policies and access control practices. If they understand the importance of meeting PCI DSS regulations, they will likely adopt best practices willingly.

Creating an Internal Line of Defense

If trained correctly, your team can deter threats, prevent them all together, or contain the progression of a breach. Consider implementing the following:

• Simulate phishing emails, spam emails, and other known threats. It’s important to document all known threats to create awareness—i.e. fraudulent email sent from someone pretending to be the company’s CEO asking for personal information.
• Create an acceptable use policy. Employees should know how they’re allowed to use devices at work, which types of files they can download (and which to avoid), and how to scan new devices for vulnerabilities prior to connecting them to their company network.
• Teach employees how to report potential problems and make them feel safe. It’s more important for employees to report issues than to punish them for responding the wrong way.
• Ongoing training on PCI DSS security controls for all employees, plus advanced security (firewalls, network segmentation and isolation, and secure remote access) for your IT team.

Use effective training easily identify potentially harmful activities and follow best practices—such as implementing strong passwords and reporting suspicious activity—to mitigate issues and reduce the impact of a breach and its costs. Share the PCI DSS regulations and company policies to maximize understanding within your organization and emphasize everyone’s role in compliance and security; their participation will make all the difference should your company experience a breach.

Rely on Experts that Serve Your Industry

Not everyone has the resources to keep up with the pace of cybersecurity threats and PCI DSS IT requirements—that’s where we come in. OnRamp specializes in developing high-security infrastructure that meets and exceeds PCI DSS regulations for the financial industry.

Additional Resources on This Topic:
PCI DSS Version 3.2 Brings Big Changes: What You Need to Know
Don’t Look Now, But PCI Just Changed Again
Multi-Layered Security: Ten Important Steps to Protect Your Business Data

Photo Credit: reobuyer Flickr via Compfight cc

This article was first published on Onramp.