The PCI Security Standards Council has published new guidelines to help retailers improve company-wide information security awareness with a dedicated program. Developed by a PCI Special Interest Group, the Best Practices for Implementing Security Awareness Program information supplement provides recommendations for educating staff on protecting sensitive payment information.
And it points the finger at humans, specifically their key role in understanding the various threats and remaining vigilant in protecting against breaches. New PCI compliance standards are considered more labor intensive than the 2.0 standards.
POS terminal examinations will be more hands on, e-commerce merchants who redirect payments to a third party will have to be in compliance, and more transparency with those third-party providers will be demanded.
There are three points regarding third party providers that stand to help retailers in particular, said Greg Rosenberg, Trustwave security engineer.
First is the requirement that when merchants use a third party, such as an integrator, they need to articulate which PCI requirements are being addressed; service providers will also now need to have a unique password for each retailer, rather an a universal one, to limit the scope of an attack; and finally, these third parities are now required to use two-factor authentication.
"Merchants need to be able to ask these third parties for proof they've implemented these controls," said Rosenberg. "These are very good things for retailers."
The guidelines have been developed by retailers, banks and technology providers, and are meant to assist organizations big and small with a variety of budgets. The information is not specific to retail organizations, but as retailers remain on the front lines of data security, the list of best practices will be of interest to merchants.
"Breach reports continue to point to the critical role that employee security understanding and awareness plays in identifying, protecting against and mitigating data compromise," said the group in a statement. "PCI DSS Requirement 12.6 highlights the necessity for organizations to have a security awareness program in place to educate personnel on the importance of protecting sensitive payment information and how to do so securely."
The first step in the development of a formal security awareness program is assembling a security awareness team responsible for the development, delivery, and maintenance of the security awareness program, according to the report.
Second, the report includes best practices to use when developing appropriate security awareness content and when creating a security awareness checklist to help when developing, monitoring, and/or maintaining a security awareness training program.
The guidance also includes a sample mapping of PCI DSS Requirements to different roles, materials and metrics, for documenting how PCI DSS requirements could be incorporated into their training program frameworks, and a sample checklist for recording how a security program is being managed.
"Whether it's POODLE, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk," said PCI SSC CTO Troy Leach. "PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information. This guidance can help businesses focus on the 'people' part of the equation and build a greater culture of security awareness and vigilance across their organizations."
PCI compliance is critical but won't guard against all types of attacks, including malware. The human element has increasingly proven to be the weakest link as evidenced by what happened to Target (NYSE:TGT) in 2103. Target was PCI compliant, which helped minimize the number of credit cards compromised, but a single outside contractor provided hackers with an entry point that ultimately compromised the credit card numbers of 40 million Target shoppers and personal information of 70 million more.
-See this PCI Security Standards Council report
Backoff malware widespread, PCI Council issues call to action
How to prevent Target-like data breaches
Shoppers stop buying online after breaches
Supervalu reports data breach
Target and PF Chang's breaches 'the tip of the iceberg'