PCI DSS v3.1 Training Requirements Explained
This article presents clarifies each PCI DSS Training requirement in relation to the target training group and how they are affected as well as the consequences (beyond non compliance) to the organisation.
Requirement 6.5 (Secure Coding)
“Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. “
This requirement means application developers and administrators must be constantly trained in secure coding techniques. They also must keep up to date on evolving threats to critical applications as well as how to make changes to code as they evolve. Failure to follow this requirement may lead to critical compromises to applications and critical card data environments. Insecure code may lead to malicious individuals or groups compromising such applications.
Requirement 9.9 (Inventory & Inspection of Card Reading Devices)
“Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.In particular 9.9.3 states that the organisation must “Provide training for personnel to be aware of attempted tampering or replacement of devices”.
This requirement means that End User/Staff tasked with regular inspections of card reader devices, such as POS devices and Self Service terminals, must be aware of signs of tampering, including new possible skimming techniques, devices and what specific evidence to identify when conducting inspections. Failure to comply with this requirement may lead to card reader tampering being undetected and major CHD compromise.
Requirement 12.10 (Incident Response)
“Provide appropriate training to staff with security breach response responsibilities.”
This requirement means that Business Continuity, Incident Response and Designated staff with security breach response responsibilities should always be aware of their responsibilities as well as the procedures to follow in the case of a suspected breach to cardholder data or its environment. Failure to comply with the intent of this requirement would potentially lead to such staff not following appropriate procedures in the event of a breach which may lead to fines (through lack of card brand reporting procedures knowledge) and, even worse, major CHD compromises having dire consequences to the organisation.
Requirement 12.6 (Information Security & Card Holder Data Awareness)
“Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.”
This requirement means End User/Staff whom have contact with or may affect CHD security or integrity must be trained in common information security threats affecting end users. They must be aware of their responsibilities when handling cardholder data or interacting with CHD environments, and how their actions may affect the integrity of such data and systems. Failure to follow these requirements may lead to data breaches through lack of awareness or ignorance, which in turn may have serious repercussions for the organisation. For clarification purposes about Scope of this requirement. Security awareness training applies to those people, processes, and technology that are in-scope of PCI DSS. If there are individuals in your organization that do not interact with, have access to, or can affect the security of cardholder data, and do not otherwise fall under the scope of the cardholder data environment (CDE) per the "Scope of PCI DSS Requirements", then it is not be necessary to include those individuals in PCI DSS security awareness training.