We're very focused on PCI compliance in our company. We want to start at the source -- the employees -- and make...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
sure every member of the company is well versed in PCI DSS requirements. It may be somewhat unusual to make PCI compliance a company-wide activity, but I think that working together as a team to stay compliant can help prevent incidents. I want to provide PCI awareness training for my staff, but I'm unsure where to start. I don't think making them read the PCI DSS guide itself will be beneficial. Are there some training programs you could recommend or best practices we can teach our employees to at least cover the basics?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
You're definitely on the right track -- making all of the employees in your organization aware of PCI DSS requirements is not only a good idea, it's required by the PCI DSS standard. Fortunately, there are several good programs out there that are designed to ease this burden. For example, you might want to consider the SANS Institute's Securing the Human program (which also provides non-PCI security awareness modules) or the PCI Security Council's noncertification training programs.
As you consider a PCI awareness training program for your organization, I encourage you to include several factors in your analysis:
- Does the program meet the basic requirements of your PCI awareness needs? For example, if you're looking for something to cover a PCI DSS requirement, does the program include content on credit card security?
- Is it possible to kill two (or more) birds with one stone? For example, does the program offer a modularized approach that meets HIPAA training requirements or fill another need within your organization?
- Does the vendor providing the PCI employee training offer automated tracking of who has completed the training program? Will the system provide automated "nagging" of non-participants?
Outsourcing PCI DSS awareness training is also a great way to take some of the burden off internal staff and meet one element of your compliance obligations.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.