The retail world is inundated with information on data security, privacy, compliance, and the technology to help keep up with their interrelated complexity. However, an integral part of this information should be on how employees need to handle cardholder data. Employees staying cognizant of security and practicing them continuously can greatly reduce the risk of breaches while simplifying security. This is applicable to all merchant levels and should not be taken lightly.
An alarming statistics states, “32% of companies of all sizes have experienced 25 or more social engineering attempts within the last two years, and the same very report found that 34% of businesses do not have any employee training or security policies in place.”
Here are some tips for employers that’ll keep their compliance approach more holistic and these are indeed the cardinal points of the PCI Data Security Standards.
1. Documentation is a requirement in PCI compliance and plays a huge role on how it relates to employees following guidelines.
Documented direction is key for existing employees and new employees. They are a point of reference to go back again and again. They must start from the basics of using the right type of passwords or two-factor authentications for logging in to your network, to a new employee understanding the process of opening up a port on a network.
The same documentation necessity applies to file integrity monitoring, patch application, engaging wireless intrusion prevention systems and internal or external scanning. Being proactive and following written guidelines are way easier and efficient than following breaches or fixing vulnerabilities.
2. Training employees on PCI DSS in addition to documentation.
Here is a reference to PCI-DSSv2 12.6 – Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
The above control refers to the security awareness portion of the 12 requirements of PCI DSS. Every employee from the President of a company to the developers in the IT department needs to be concerned with the data they handle. Your enterprise is safer when everyone who touches the cardholder data understands how they should be managing that data.
Here is an incident that happened sometime back but you will get the essence of the message. “A Wal-Mart employee received a phone call from a man claiming he worked for the retail giant’s IT department. Authorities claim that the caller instructed the associate to activate gift cards and give him the authorization codes which he used for more than $11,000 in online fraud purchases.” This breach immediately raised red flags regarding employee training and the constant reminders required to help them stay vigilant.
3. Constant updates to employee training that includes annual training and verification. Doing once and forgetting in some cases are as good as no training at all.
Again, PCI-DSS (12.6.1.a) emphasizes this and it is especially relevant to merchant Levels 1 and 2.
The verification part comes in when QSA’s get involved in an audit process. They verify by checking the various ways an organization trains employees. Methods used such as computer based e-training, handouts, posters, emails are recommended. Employers need to ensure they have a security training program along with a new employee orientation. Auditors verify to check annual training of all employees.
It is important to remember that all this is not for checking the boxes and going through a list of things to show your QSAs but make you aware retailers have a responsibility to their customers who trust them with their personal information. And, retailers are liable if there is a breach. No one else.
- Major brands are not responsible
- POS vendors are not responsible
- Managed network providers are not responsible
- Acquiring banks are not responsible
- Back Office system providers are not responsible
Take your employees’ role in protecting your business seriously. They are your first line of defense. If employees don’t receive ongoing training on how to handle customers’ data, your business can be wide open to a breach. A simple manual or an actual drill are easy and less time consuming than chasing after a breach incident. In the case of merchant levels 1 and 2, this is even more important. There are several resources provided by the PCI Council to train employees the proper way.
For additional information on data security at your company, talk to one of our systems engineers. Call 636-557-7777 and we’ll be happy to put you on the right path to compliance.