To mark Global Payment Security Education Week: 24-28 October 2016, the PCI Council is offering free PCI Awareness training- a $495 value. Registration for this FREE PCI Awareness eLearning is open this week. Click here for registration information. Some restrictions apply.
We sat down with Gill Woodcock, Senior Director of Certification Programs for the PCI Security Standards Council, to discuss the importance of PCI Awareness training.
Why is awareness training important for a secure payments environment?
Gill Woodcock: Effective security needs people, process and technology to all play their part. Incidents often start with people, for example think of the phishing attacks we are hearing so much about recently. Raising employee awareness of how payments should be secured is critical in preventing breaches of cardholder data. Employees who have high levels of awareness are less likely to just click that link that introduces malware. Interestingly, research also shows that if an incident does occur then organizations with training programs have lower resulting costs. Having employee training is the third most effective factor in reducing costs of a data breach after having an incident response team and encryption according to the 2016 Ponemon Cost of Data Breach Study.
Who is PCI Awareness training for?
Gill Woodcock: Anyone interested in learning more about PCI! More seriously, PCI Awareness training will help anyone working in a company which has to comply with PCI DSS. This is a high level course of interest to a broad range of people who need a broad understanding of our standards. Executives and managers who need to understand what PCI DSS means for them, and how securing payments can benefit their organization, as well as anyone involved in implementing PCI DSS and who needs to understand how it fits into the larger picture. If you are new to PCI and not sure where to start then this training course will give a good overview of PCI DSS and what it is all about.
What topics are covered by the course?
Gill Woodcock: The course includes a range of PCI related topics including:
- Overview of PCI requirements, how they enhance data security, and support compliance with the PCI Data Security Standard
- Roles and responsibilities of key players in the compliance process – including overviews of the Internal Security Assessor (ISA), Qualified Security Assessor (QSA), and Approved Scanning Vendor (ASV) programs
- What constitutes PCI compliance
- Synopsis of the infrastructure used by organizations to accept payment cards and communicate with verification and payment facilities
Can you recommend more advanced courses for those who continue their payments security education?
Gill Woodcock: Participation in the PCI Professional (PCIP) program would be a great next step for those who want more in-depth knowledge. PCIP is an industry-recognized qualification, and includes listing on PCI SSC’s website. The training can be computer-based or face-to-face and there is an exam to pass before individuals can claim PCIP status. More info is available on the PCI website or from the PCIP Program Manager firstname.lastname@example.org. The Internal Security Assessor (ISA) qualification might be appropriate if you are involved in assessing PCI DSS within your organization, again more info is available on the PCI website or via the ISA Program Manager email@example.com.
What options are there for group trainings?
Gill Woodcock: Please reach out to discuss options if you have a group of employees to train. We can provide an expert PCI instructor to deliver training at your premises and can offer volume discounts - the more you train, the more you save! This option is available for all of our training courses so please contact firstname.lastname@example.org for a custom quote if you are interested.
Do you have any recommendations for someone looking to sell-in awareness training for their organization?
Gill Woodcock: My recommendation is to do your homework and figure out your business case. Look at how having trained employees can benefit your business and how you can show those benefits to senior management. The Information Supplement Best Practices for Implementing a Security Awareness Program on PCI SSC’s website has some excellent examples of metrics which can be developed and tracked as well as providing lots of insight into the different types of training appropriate for different organizational roles – well worth reading!
Learn more about PCI Awareness Training here: