Cybersecurity, Policies and Training

How to Run an Effective PCI Compliance Training Program

Congratulations on your decision to become payment card industry (PCI)-compliant!

There’s no time like the present to solve cybersecurity-related business concerns while improving your data infrastructure and process management at the same time. In the competition to keep bad guys away from your business’s (and your customers’) sensitive data, PCI compliance is a popular, well-known standard to adhere to for protection. Companies that are PCI-compliant demonstrate a strong awareness of best cybersecurity practices, especially as they pertain to storing data and handling credit card transactions.

Customer paying with credit card at cafe

LightField Studios /

PCI compliance self-assessments are a rigorous first step toward compliance, and they deserve a lot of attention and effort. When you’re completing a self-assessment, you’ll do well to stick to high standards across the board as you test different controls. If you’re a tough judge on yourself early in the process, you’ll find that the certified audit will go much easier later.

But the best-case scenario for warming everyone up to PCI compliance and achieving it is one in which the topic becomes a casual piece of the work culture. Educate your employees at every opportunity on why compliance is important and why it matters to you personally. This impact trickles down the hierarchy to become a talking point for many employees, even if it doesn’t necessarily touch their job description. Compliance becomes a shared reference point for many (if not all) workers because leadership made it clear that compliance is related to business success.

But you can’t snap your fingers and create an environment where coworkers are comfortable schmoozing with each other on topics of compliance and how thrilled they are to be directly or indirectly involved in it. That kind of hard-won culture takes thoughtful consideration to achieve. If you want the average waterline of employee knowledge to rise on cybersecurity and form a shared understanding of what optimal business processes look like, then you need to start a PCI compliance training program.

Don’t let the concept daunt you; it’s actually quite easy to make this happen. There’s even significant published guidance on how to make it happen for your organization.

Compliance training programs exist to promote general security awareness and reinforce best cybersecurity practices within an organization. Those attending the training program learn what compliance involves, why it’s a desirable outcome, and how their job descriptions do or don’t touch compliance.

Here’s how to make that training program effective:

Get buy-in from the managerial level to make the training program happen.

It is often a business’s employees—not its higher-level managers or specialized cybersecurity staff—who need to gain familiarity with PCI compliance topics. That kind of influence needs to trickle downward in order to set a new and updated tone for everyone: that PCI compliance is important and everyone’s going to do what it takes to achieve it.

Only management can follow through on something that would disrupt business as usual, and a training program that carries an organization to compliance certainly counts as something extra or beyond. It involves regular meetings beyond what might already be scheduled (or rescheduled) for an ordinary day or week.

Make sure people understand their role within the organization’s overall cybersecurity posture.

A company’s vulnerabilities today often aren’t information security weaknesses but rather human weaknesses. Businesses’ systems can be buttoned up tight and impenetrable, but an attack on human engineering could literally trick someone into giving away sensitive data to a malicious third party.

It’s important that your training program be clear on where and how everyone’s job descriptions fit together to form a holistic picture of cybersecurity. It isn’t just one person’s job to keep a network safe and alive; it’s a distributed team effort—everyone plays a role.

Someone participating in a PCI compliance training program should definitely be able to offer why (or why not) his or her work connects to compliance and why compliance is important. This is a foundational piece of knowledge that can make a lot of hard work easier when more people on a team share it. When more members of a team large or small share awareness of a bigger-picture idea they can directly contribute to (in this case, PCI compliance), it becomes a unifying force among the team and instantly gives everyone something to talk about with someone else.

Make sure people get their questions answered.

Have your experts on hand to take the time to slowly fill the staff’s collective knowledge with information about cybersecurity and PCI compliance. Different people exist at different levels on cybersecurity, and two people working in the same office might come down very differently on the same line. A younger, tech-savvy person might have a sense for picking strong passwords or know what goes into processing a credit card transaction online, but this is not every employee.

There are those for whom talk of compliance will come with a lot of questions and perceived gaps in knowledge. But the idea is not to make everyone an expert overnight. The goal is just to make everyone a little more knowledgeable on a niche field that makes the business stronger overall.

Becoming PCI-compliant is a powerful and decisive step toward conducting business online. Not only does it grant you the capability to process credit card numbers and run a business, but it also makes you a “steward of other people’s information.” And PCI compliance is about being a great steward of that information.

A PCI compliance training group is nothing more than a place where employees talk about cybersecurity and compliance topics. Yours can be as formal or casual as you like, but it will ultimately hinge on conversations about PCI standards, best cybersecurity practices for modern times, and how to fight back against hackers.

Each group will be different in practice, but implementing these tips as you run them will stack the deck in favor of higher-quality outcomes.

alt link text John Shin is the Managing Director at RSI Security and has 18 years of leadership, management, and information technology experience. He is a Certified Information Systems Security Professional, CISM, and Project Management Professional (PMP). He is the principal author of multiple Internet privacy and security technology papers, such as Dominant Cyber Offensive Engagement and Supporting Technology and Reconnaissance & Data Exfiltration for U.S. Air Force Research Laboratory.

Shin was responsible for external customer information systems, as well as the global infrastructure operations, at Abraxas Corporation, a risk mitigation technology company solely focused on the National Security Community. He also worked in several management positions for Genoptix Inc. (Nasdaq: GXDX) in the IT/Bioinformatic division. During his tenure at SunGard, he worked as an operations engineer responsible for mission-critical infrastructure and ISO-compliance system processes.