95830
  • Posted by: admin
  • On April 12, 2016, 2:32 p.m.

Training requirements vary according to the level of involvement, responsibilities, and how critical each trainee is to the integrity of the cardholder data environment. In this section we define each trainee group, their responsibilities, and their impact on PCI compliance and system security. For each group we also outline support/resource, methods/channels, and periodicity (or frequency) requirements and recommendations. It is important to note that, beyond the previously highlighted PCI requirements, there are important knowledge gaps in particular at senior management and technical levels. If these are not addressed the organisation risks incurring costly delays, errors, omissions which would adversely affect achieving and maintaining PCI compliance

Level 1: Global/Regional/Project Management

  • Staff involved in ongoing management of PCI DSS compliance, control implementation, internal review/audits or documentation of processes and procedures on a departmental or regional level are critical to successful management of PCI DSS and the business or operational units they are responsible for. As such it is paramount they understand the full scope of PCI DSS, its requirements, documentation, and evidence collection. It is paramount that senior management understand how changes to the infrastructure may affect compliance and, more importantly, security. Finally such staff should be able to communicate, train and manage their direct reports in order to achieve organisational objectives. 
  • Certification of a minimum of 1 Internal Security Assessor would be advisable as this may provide additional benefits such as the permission to self-certify (ISA may be authorised to sign off a Report on Compliance, always subject to Acquirer or Card Brand approval on a case by case basis).
  • Support/Resources: It is recommended that such staff have regular training and access to PCI DSS expert advice to respond and advise in cases of PCI DSS scope, interpretation and other queries.
  • Training Methods/Channels: It is expected/assumed these staff members would have access to both desktop/laptop and mobile devices.
  • Training Periodicity: An in depth induction training, access to ongoing eLearning resources /updates, and regular training updates (at least annually) would be recommended.

Level 2: Audit, Compliance, Risk, Infrastructure, Network, Communications, Systems/Applications & Security Management 

  • Such Personnel must understand the PCI DSS controls which they are responsible for, how to manage change, follow procedures and processes, as well as internal reporting and documentation requirements according to the organisational policy and PCI DSS. Such personnel must understand how their units actions may affect the organisations compliance status, and they must also carry out critical procedures as defined in the information security policy.  As department managers or business unit leaders they must also ensure their staff carry out processes and procedures in order to maintain system and data availability and integrity. 
  • Certification of certain staff as PCIP may be desired from an organisational and individual training certification standpoint (PCIP does not provide any specific benefits such as the permission to self-certify which may be afforded to an ISA).
  • Support/Resources: It is recommended that such staff have regular access to PCI DSS expert advice/resources either internally and/or externally.
  • Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
  • Training Periodicity: An in depth induction training, access to ongoing eLearning resources /updates, and regular training updates (at least annually) would be recommended.

Level 3: Audit, Risk, Infrastructure, Network, Communications & Security Staff 

  • Such personnel must understand how their units actions may affect the organisations compliance status, and they must also carry out critical procedures as defined in the information security policy.  
  • Certification of certain staff as PCIP may be desired from an organisational and individual training certification standpoint (PCIP does not provide any specific benefits such as the permission to self-certify which may be afforded to an ISA).
  • Support/Resources: It is recommended that such staff have regular access to PCI DSS expert advice/resources internally.
  • Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
  • Training Periodicity: Overview induction training, access to ongoing eLearning resources /updates is advised.

 

Level 4.A: Systems/Applications Developers Staff

  • Developers hold the key to critical card data processing applications, so they must be well versed in secure coding techniques, processes and procedures. Developers must be constantly up to date with application security threats. As threats constantly evolve, application security staff must keep up to date with countermeasures, patch critical systems and follow secure coding best practices applicable to coding language, platforms and their interdependencies. 
  • Support/Resources: Access to up to date secure coding resources is critical for such staff, the ability to integrate secure coding resources into standard coding software is both advantageous and practical.
  • Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
  • Training Periodicity: An induction training, followed by access to eLearning and Secure Coding Resources is strongly advised.
     

Level 4.B: Business Continuity, Incident Response and Designated staff with security breach response responsibilities

  • Staff with security breach response responsibilities on critical applications must be aware of organisational and industry (card brands) incident response procedures. They must also test such procedures regularly to ensure readiness when a real situation occurs. Regular training and testing of staff knowledge and their response in the event of a breach is critical to minimising the impact of breaches on the organisation.
  • Support/Resources: Access to internal documentation and tools implemented for incident response situations is critical.
  • Training Methods/Channels: It is expected/assumed these staff members will have access to both desktop/laptop and mobile devices.
  • Training Periodicity: An induction training, followed by regular updates (at least annually) is recommended.

 

Level 5.A: End User/Staff whom are tasked with inventory and inspection of card reader devices (POS, Self Service machines)

  • Staff tasked with inspecting card reading devices must be aware of what signs of tampering to look out for, which parts of devices to inspect, how to inspect and document inspection as well as procedures to follow in the event of suspected tampering. As skimming and tampering threats and methods evolve they must be updated regularly. In addition the organisation must have appropriate inspection risk based policies, documentation, and reporting in order to manage compromises and compliance requirements. 
  • Support/Resources: The timely availability of updated information regarding card-reading device tampering techniques is paramount for such staff to effectively carry out inspection.
  • Training Methods/Channels: It is assumed that most staff have limited access to desktop computers, hence the availability of mobile-responsive training channels is recommended.
  • Training Periodicity:  Induction onsite training or eLearning, followed by more specific regular updates(monthly) and the implementation of a tool with the capability to incorporate tamper-specific information is strongly advised.
     

Level 5.B: End User/Staff whom have contact with or may affect CHD security or integrity.

  • All personnel must be educated upon hire and at least annually on the importance of information security, threats to the organisation, and threats to their personal information which may lead to a compromise of the organisation´s ´systems and critical data. In particular personnel who have access to card data or systems which process such data must be trained to understand the value of such data as well as procedures.
  • Support/Resources: An integral part of achieving end user education hinges on implementing information security awareness programs employing a variety of channels including posters, screen-savers, videos, games, etc.
  • Training Methods/Channels: It is assumed that most staff have limited access to desktop computers, hence the availability of mobile-responsive training channels is recommended.
  • Training Periodicity: An induction eLearning training upon hire, followed by annual mandatory training is required. Regular ongoing training & awareness in line with the internal information security awareness programme (monthly) is strongly advised.

(0 comments)

Currently unrated

Related posts

Mainframe and Software Security

  • Posted by: admin
  • Santiago de Chile , Chile

Training requirements vary according to the level of involvement, responsibilities, and how critical each trainee is to the integrity of the cardholder data environment. In this

Comments

There are currently no comments


Add New Comment

required

required (not published)

optional