95830
  • Posted by: admin
  • London , UK
  • On Oct. 18, 2018, 10:53 p.m.
Training requirements vary according to the level of involvement, responsibilities, and how critical each trainee is to the integrity of the cardholder data environment. In this section we define each trainee group, their responsibilities, and their impact on PCI compliance and system security. For each group we also outline support/resource, methods/channels, and periodicity (or frequency) requirements and recommendations.

Level 1: Global/Regional/Project Management

• Staff involved in ongoing management of PCI DSS compliance, control implementation, internal review/audits or documentation of processes and procedures on a departmental or regional level are critical to successful management of PCI DSS and the business or operational units they are responsible for. As such it is paramount they understand the full scope of PCI DSS, its requirements, documentation, and evidence collection. Most important is that they understand how changes to the infrastructure may affect compliance and security of the organisation. Finally such staff should be able to communicate, train and manage their direct reports in order to achieve organisational objectives.
• Support/Resources: It is recommended that such staff have regular access to PCI DSS expert advice to respond and advise in cases of PCI DSS scope, interpretation or similar doubts.
• Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
• Training Periodicity: An induction training, followed by regular updates (at least annually) would be recommended.

Level 2: Audit, Compliance, Risk, Infrastructure, Network, Communications, Systems/Applications & Security Management

• Such Personnel must understand the PCI DSS controls which they are responsible for, how to manage change, follow procedures and processes, as well as internal reporting and documentation requirements according to the organisational policy and PCI DSS. Such personnel must understand how their units actions may affect the organisations compliance status, and they must also carry out critical procedures as defined in the information security policy. As department managers or business unit leaders they must also ensure their staff carry out processes and procedures in order to maintain system and data availability and integrity.
• Support/Resources: It is recommended that such staff have regular access to PCI DSS expert advice/resources either internally and/or externally.
• Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
• Training Periodicity: An induction training, followed by regular updates (at least annually) would be recommended.

Level 3: Audit, Risk, Infrastructure, Network, Communications & Security Staff

• Such personnel must understand how their units actions may affect the organisations compliance status, and they must also carry out critical procedures as defined in the information security policy.
• Support/Resources: It is recommended that such staff have regular access to PCI DSS expert advice/resources internally.
• Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
• Training Periodicity: An induction training, followed by regular updates (at least annually) would be recommended.

Level 4.A: Systems/Applications Developers Staff

• Developers hold the key to critical card data processing applications, so they must be well versed in secure coding techniques, processes and procedures. Developers must be constantly up to date with application security threats. As threats constantly evolve, application security staff must keep up to date with countermeasures, patch critical systems and follow secure coding best practices applicable to coding language, platforms and their interdependencies.
• Support/Resources: Access to up to date secure coding resources is critical for such staff, the ability to integrate secure coding resources into standard coding software is both advantageous and practical.
• Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
• Training Periodicity: An induction training, followed by more specific regular training (monthly) would be recommended.

Level 4.B: Business Continuity, Incident Response and Designated staff with security breach response responsibilities

• Staff with security breach response responsibilities on critical applications must be aware of organisational and industry (card brands) incident response procedures. They must also test such procedures regularly to ensure readiness when a real situation occurs. Regular training and testing of staff knowledge and their response in the event of a breach is critical to minimising the impact of breaches on the organisation.
• Support/Resources: Access to internal documentation and tools implemented for incident response situations is critical.
• Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
• Training Periodicity: An induction training, followed by regular updates (at least annually) would be recommended.

Level 5.A: End User/Staff whom are tasked with inventory and inspection of card reader devices (POS, Self Service machines)

• Staff tasked with inspecting card reading devices must be aware of what signs of tampering to look out for, which parts of devices to inspect, how to inspect and document inspection as well as procedures to follow in the event of suspected tampering. As skimming and tampering threats and methods evolve they must be updated regularly. In addition the organisation must have appropriate inspection risk based policies, documentation, and reporting in order to manage compromises and compliance requirements.
• Support/Resources: The timely availability of updated information regarding card-reading device tampering techniques is paramount for such staff to effectively carry out inspection.
• Training Methods/Channels: It is assumed that most staff have limited access to desktop computers, hence the availability of mobile-responsive training channels is recommended.
• Training Periodicity: An induction training, followed by more specific regular updates(monthly) or the implementation of a tool with the capability to incorporate tamper- specific information would be recommended.

Level 5.B: End User/Staff whom have contact with or may affect CHD security or integrity.

• All personnel must be educated upon hire and at least annually on the importance of information security, threats to the organisation, and threats to their personal information which may lead to a compromise of the organisation´s ´systems and critical data. In particular personnel who have access to card data or systems which process such data must be trained to understand the value of such data as well as procedures.
• Support/Resources: An integral part of achieving end user education hinges on implementing information security awareness programs employing a variety of channels including posters, screen-savers, videos, games, etc.
• Training Methods/Channels: It is assumed that most staff have limited access to desktop computers, hence the availability of mobile-responsive training channels is recommended.
• Training Periodicity: An induction training upon hire, followed by annual mandatory training is required, regular ongoing training in line with the internal information security awareness programme (monthly) would be recommended. Tags:

Current rating: 5