In October, the Payment Card Industry (“PCI”) Security Standards Council published the Best Practices for Implementing a Security Awareness Program Information Supplement (“Supplement”) to help organisations educate their employees on the importance of protecting, the care in handling, and the risks of mishandling sensitive information.
The PCI Special Interest Group (“PCI SIG”) developed the Supplement with input from merchants, banks and service providers, to provide guidance on PCI Data Security Standard (“PCI DSS”) Requirement 12.6, which requires organisations to implement a security awareness programme.
The Supplement provides practical advice, including:
- Assembling a security awareness team responsible for the development, delivery and maintenance of the security awareness programme
- Determining roles for security awareness to tailor training appropriately
- Developing security awareness content appropriate to each organisation’s time, resources and culture
- Creating a security awareness checklist to plan and manage a security awareness training programme effectively
The Supplement includes a ‘Sample Mapping of PCI DSS Requirements to Different Roles, Materials and Metrics’ that shows how a training programme can incorporate PCI DSS, and a ‘Security Awareness Program Record’ to evidence a security awareness programme.
The Supplement could not come at a better time, as Cisco’s 2014 Annual Security Report found an increase of 14% in cyber-attacks since 2013. This guidance should help organisations in protecting their data, and will aid those who are gearing up for version 3.0 of the PCI DSS dealing with processing payment card information, which we reported on in April.