In this article we look at what training is required to comply with PCI DSS and why it is important, not just to achieve compliance, but to protect payment card information.

Organisations that accept payment cards must understand and comply with Payment Card Industry (PCI) Data Security Standards. These standards, developed by the PCI Security Standards Council, made up of American Express, Discover Financial Services, JCB International, MasterCard and Visa, are designed to ensure that cardholder data is processed, stored, and transmitted securely and protected from misuse and fraud.

What training is required for PCI DSS Compliance?

The training requirements in the PCI standard include security awareness training for all employees, with additional training for individuals involved in code development. 

Security Awareness

PCI DSS requirement 12 states that organisations must maintain a policy that addresses information security for all personnel. This includes (in requirement 12.6) that the organisation implement a formal security awareness program to make all personnel aware of cardholder data security policies and procedures.

Security awareness training for all employees, when they join the organisation and repeated annually, builds a culture of security. It plays an important role in ensuring that all employees understand the PCI standard and the best practices required to protect cardholder data. This knowledge strengthens the organisation’s efforts with employees that are aware and able to spot fraud and report possible issues. 

Secure Code Development

Developers need to be aware that malicious actors are continuously looking for new ways to circumvent security measures. PCI DSS 6.5 requirement recognises the importance of software security and states that developers must receive training in secure coding techniques at least once a year to ensure that the latest threats are understood and best practices are being followed.

Secure coding requires an understanding of how and where weaknesses can occur and best practices for identifying and addressing vulnerabilities. Training should also include hands-on exercises to practice newly learnt skills. For developers working in industries that are at a higher risk of attack (finance for instance) and that also are subject to additional regulation, training should also consider the context in which the developers are working.

NOTE – PCI DSS update from V3.2.1 to V4.0: Changes in version V4.0 relating to Training for Software Development Personnel

The training of software developers elements (previously Requirement 6.5 in V3.2.1) have been updated and restructured under Requirement 6.2.2 in PCI DSS v4. These changes ensure that the standard continues to be current with emerging threats, technologies and changes in the payment industry.

All software development related content are now aligned under Requirement 6.2. Read more about this update in our post  Securing the Code: Unpacking PCI DSS v4.0 Requirement 6.2.2 for Software Developers to ensure your team is up-to-date with the latest requirements. Don’t wait, act now to maintain your PCI compliance and secure your software development process. 

Why is PCI DSS training Important?

The objective of the PCI standard is to protect cardholder data. Employees, and the integral role they play in business processes pose a significant risk to securing this information. Either knowingly or unknowingly, employees can be the weakest link in security efforts.   If employees are unaware of the information they are protecting, what the risk to it is, and the consequences of a breach, security policies are ineffective. It is not enough to have a procedure detailing what action is required in the event of a data breach if the employees are unaware of what is expected of them. Employees are also a potential target for social engineering attacks. If employees are unaware of what these are and how to identify them, the organisation could be open to attack. 

Building secure code as it is developed, as opposed to applying fixes once a problem has been identified, reduces the risk of vulnerabilities that can lead to a data breach. The further along the SDLC process that an issue is addressed, the greater the cost and disruption. Getting the code into production is also delayed. Training developers to build secure code saves time, money and reduces the risk of security breaches.

Contact us and talk directly to one of our instructors about the role training plays in PCI DSS compliance and the training course or courses to best suit your needs. Learn more about how Security Awareness Training supports an organisation-wide culture of security and how the Secure Coding for PCI DSS course helps developers to apply the secure coding and application security standards needed for applications that process card payments and/or cardholder data.