News Feature | November 20, 2014

New Security Awareness Guidance Published By PCI Security Standards Council

Christine Kern

By Christine Kern, contributing writer

New Security Awareness Guidance

The PCI Security Standards Council has published guidance for dealing with and protecting sensitive payment information. “Best Practices for Implementing Security Awareness Program” was developed by the PCI Special Interest Group including retailers, banks, and technology providers. The guidance focuses on three key areas: raising security awareness; developing appropriate security awareness content for the organization; and creating a security awareness training checklist.

“The first step in the development of a formal security awareness program is assembling a security awareness team,” the paper notes. “This team is responsible for the development, delivery, and maintenance of the security awareness program. It is recommended the team be staffed with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization.”

“Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program,” the paper continues. “The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.”

The second step is to develop appropriate awareness content for the organization, being aware that different roles require differentiated education.  “Management has additional training needs that may differ from the two previous areas," according to the paper. “Management needs to understand the organization’s security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues should they occur. The security awareness level of management may also need to include an overall understanding of how the different areas fit together.”

This ties into the third recommendation of the guidance: creating a security awareness checklist. “Whether it’s the POODLE attack, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk,” PCI SSC Chief Technology Officer Troy Leach said in a statement.

“PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information,” he said. “This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organizations.”

Access the full report here.