Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Should Your Organization Do a PCI Self-Assessment?
Quick Take
On this episode of Compliance Unfiltered the CU guys break down the importance and benefits of training your organization to follow PCI DSS.
Adam gives the listeners a full understand of why training your personnel on PCI is so critical. He will cover the important things you can do to gear up for the training, cover what specific trainings will be needed, and he’ll cover what specialized focuses you should be mindful of as you look to implementing a PCI training program for your organization.
Curious how PCI DSS v4.0 comes in to play? No worries, the CU guys have all these answers and more, on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the coffee mate to your compliance cup of joe. And for those of you who like it straight, there’s no one to give you a better black cup of coffee than the one and only Adam Gosling.
How the heck are you, sir? Oh, black coffee, my favorite. Mine’s often referred to as mud, though. You’re a coffee, not your name, sir. Today, we’re going to talk a little bit more about, well, something that’s probably easier said than done when you’re discussing it, and that is training your organization to follow PCI DSS.
So why is training your personnel on PCI so darn important, Adam? Well, there’s very few things in this life that are guaranteed, but PCI training falls into one of them, interestingly enough, if you’re subject to PCI. So if you’ve got to be compliant, then employee training’s a piece of it. The best part is, for the most part, people look forward to their PCI training with about the same enthusiasm as they do taxes. And so there’s some good ways to go about doing it, there’s some bad ways to go about doing it. The PCI training, it shouldn’t be something you just slap on the end of the compliance engagement as an afterthought, because, quite frankly, the training that you do as you’re keeping the organization up to speed through the year and integrating the notion of security and compliance into the DNA of the company, it’s a huge piece of making a… significant difference in proactive protection of the organization. So, you know, at the end of the day, you know, the human element is, is typically the, that we’ll call it the least predictable, you know, of the various elements of an organization. And that’s where it becomes critical to get the training in place. You want everybody taking security and compliance seriously, being in the loop, understanding what they need to do, you know, things along those lines. And so, you know, if you do it well, then that PCI training helps to establish that, you know, kind of culture of compliance that we’ve talked about before at the organization so that, so that it just becomes part of what they do.
Excellent. Excellent. Now, what are some of the things to do to kind of gear up for training, right? How do you, how do you prepare to prepare for training gear? I feel like I’m in, I’m in the office space movie, planning to plan, you know, for anybody, for anybody, that’s my, like, literally all time favorite movie. And, and that, that particular blip was sitting on the whiteboard in the, I think it was when Peter Gibbons was getting interviewed by the Bobs that was up on the whiteboard for a little, little tidbit for those that hadn’t happened to notice that one. Anyway, sorry. You didn’t know you were going to get movie trivia on this week’s interview. Exactly. Hey, I pleased to aim. So, you know, the, the, the reality is, is that, you know, you want to get everyone to the point where they’re taking security and plan seriously, and it becomes part of the daily life. You know, they don’t have to be experts in all things PCI, but they need to know, you know, what it is, why it matters, and, you know, following some of the, you know, kind of basic best practices. So, you know, before you go off running down the line of training people, etc, it’s a good idea to make sure you’re actually in alignment with PCI in the first place, needing to, you know, kind of know and understand the standard. itself, but also confirming that you’ve got all the appropriate policies and procedures and documentation in place, which effectively form the basis of the training. And as the organization gains alignment with or confirms alignment with PCI, then you develop a number of elements and artifacts that essentially, it’s the documented outcome of your efforts to compare the organization to PCI. And so those documents that form a lot of the basis of the training are things like your overall information security policy, your acceptable use policy, your incident response plan, your business continuity and disaster recovery plan. So making sure that you’ve got all of that in place, that they’re up to date, etc, that’s a real good starting point before you go heading down the, okay, let’s all go get trained. Well, for sure.
Now, speaking of the actual Let’s all go get trained who all needs the training within the organization Every single freaking person in the entire company You know and, and you know some people that aren’t familiar with the PCI space Maybe they’re newer to it, etc You know PCI is a it’s an interesting standard in that it literally applies across the board So everybody from the administrative assistant to the CEO to HR to sales to certainly all the technical crew, etc Whether they’re full-time people part-time people interns, you know temporary staff contract employees, you know Vendors with direct access to sensitive data that aren’t doing their own training Everybody so, you know in the in the PCI world No, man, the vendors pick is contractually obligated to train their own people. Okay, fine Then you can you leave that to them to go, go ahead and take care of but long story short everybody So everybody in the company getting trained Yeah, I went there You’re welcome So yeah, most of the people simply need to understand their general obligations, you know of general users And so there’s, there’s three general, general arenas of training first is security awareness training That’s a general overview of security and compliance rules and regulations for people within the organization Everybody needs to get that training at higher and once a year There’s also it’s the your acceptable use policy so training on that is, is often delivered in association with your so your security awareness training at higher and once a year the acceptable use policy is the IT defines the acceptable use of technology within the organization, you know and lays out the groundwork for Acceptable and depending on how it was written up unacceptable, you know ways that systems and devices should be used within the environment. The third big arena is security reminders. So PCI is a requirement for organizations to issue periodic security reminders to the folks. There aren’t any specific rules or regulations to follow with these security reminders. So as long as you’re kind of covering security and compliance related topics that are good refreshers for the personnel, etc, that will usually meet the mark.
As a sideline note, TCT does issue a quarterly blog article and a quarterly podcast, either of which could serve as your security reminders for your organization. You don’t even need to be a TCT, existing active TCT client today. We just post those up on our blog and on our podcast. So for organizations that are looking for something to use, ease the security reminders. They can by all means go ahead, go ahead, look for those and distribute those out to their staff. It’s a tool that we leverage for companies that we work more closely with to help manage their compliance. So we use it for our own customers and certainly others could use that as well. Each of those reminders includes some type of a refresher on best practices to follow a tip on leveraging the TCT portal and a selection of recent security news stories. So it’s just, it’s an easy way for folks to be able to go in and leverage those to make their world happier.
Now, what about specialized training needed? So, outside from that general training for all of the personnel, there are some personnel that will need specialized PCI training depending on which role they fulfill within the organization. So, some of those would be incident response training. So for anyone that’s actively involved in the incident response process, they need to go through training at least once a year. Typically that’s done internally because generally speaking, the incident response plan training is something that is based on the company’s specific incident response plan. That training could take the form of a tabletop exercise where they effectively, you know. cook up a scenario and walk it through, you know, that is sometimes leveraged. In other cases, the organization is exercising their incident response plan through a live event, in which case, you know, making sure that they fully leverage their incident response plan, perform all their documentation, etc, that could also double up as their training exercise as well. For secure code training, if the organization leverages developers to do custom software development, then, you know, that’s related to, you know, to the payment space specifically, then that’s where they would need to go in and do secure code training. More often than not, that training is done by external organizations to the company itself. There’s a lot of different places you can go to get training, a lot of different modes. Different providers use different approaches. So, you know, find out what works for your organization, what training style and format. I mean, they could be there in person. They could be provisioning this, you know, kind of in a live remote session. This could be strictly online, you know, online on-demand training, et cetera. So, generally a lot of options. But you want to find somebody that’s going to address a general overview of secure coding. So, typically, that’s at least covering the OWASP top 10, as well as some specific coding techniques on the languages that your programmers are leveraging for your system. So, you know, if you’re a PHP shop, then, you know, get some additional specifics on PHP versus .NET, etc.
You know, TCT also does provide secure code training, you know, or we can make recommendations, you know, based on the organization’s needs. You know, long story short, we’ve said it many times before. We are here to help if you want to… Get our help, sweet. And if you just want our help with getting somebody that works for you, no problem, we’re here to help regardless. Now, what additional training could come into play? So as needed and going beyond the official training requirements, there may be some optional things that the organization wants to consider. So as an example, a lot of times when we’re working with organizations, we’ll see HR departments that.
really struggle with onboarding and off-boarding, managing access control, legal departments really understanding what it is that they need to have in their legal agreements related to compliance inclusions that have to be added to vendor contracts that they’re executing, etc. And so these are just some of the examples. In these cases, you want to get a trainer that has a depth of knowledge both with PCI as well as your organization because that would be extremely helpful for doing some remedial training with the staff just to make sure that they’re following the right regulations, guidelines, etc. If your organization is lucky enough to leverage a compliance consultant, that would be an ideal resource to go and perform as an extra service whatever, some additional training, additional specific training to different departments within the organization. And I can’t underscore enough the importance of bringing on that consultant to help navigate PCI. It’s someone that can identify gaps, get your organization aligned, keep you ready for your annual assessment and up to speed with the operational PCI requirements. And the coolest part about when you’re dealing with a compliance consultant, they’re not the assessor. You can have wide open discussions with that consultant. You don’t need to worry about saying the wrong thing to your QSA, that type of thing. It just allows for a different style of relationship, one that’s more open and where you can just pretty much talk about whatever it is that you need to discuss and do so kind of in a safe environment, if you will. Not that you’re unsafe with the QSAs, but I’ve often said this to different kind of end organizations. I’m like, there’s just, I don’t know what to tell you, there’s certain things that are better conversations not to have with the QSA, because those guys have a job to do and whatnot. Some of them are cool, but some of them start to get a little bit worked up when they think that things may not quite be in the right position. And one of the things that’s important about the relationship with the QSA is to maintain a good one. And one where they have the sense that you’ve got it together, you know, that you are doing things that are, you know, that are right appropriate. There’s always stuff that’s going to come up that’ll be interesting conversations with your QSA, but sprinkling them with every freaking question that you’ve got. I tend not to do that myself.
Fair enough. Now, I know the dark cloud hanging over a lot of people’s heads right now is PCI4. It is looming. What are the impacts of PCI4 on potential trainings for organizations? Well, one of the biggest challenges is, and this one was, I don’t know, man, they’ve kept a lot of the requirement numbers the same for so long. I just know that 112 is the network diagram type of thing. And if you’re in this space and you live it and you breathe it, the numbers associated with the requirements, you commit those to memory and you can recite them off the top of your head, etc. Well, the fine folks at PCI decided to play shuffle the requirements with the language. And so now a lot of those requirement numbers are changed. Not only are they changed, but you’ve got requirement elements that are changing, requirement numbers that are changing. As you’re going through the getting of 4.0 in place and getting aligned with it, you’re going to have to note those requirements and retrain the personnel related to any modifications. I certainly would encourage organizations. I know we’ve all got until 3.31 of 24. It’s got the last day to have a signed off, 3.21. But that said, don’t wait until the last second to start taking a look at 4.0. We’ve actually got several resources. If you go and search the podcast, search the blog, there’s a lot of good resources related to 4.0 on there. So don’t wait until the last second. Get ahead of it. If you can get in and do the gap assessment against 4.0 and at least kind of know what that framework looks like, well, now, guess what? You know what the future state is. is going to need to be. And you can start executing on training and getting people up to speed with what the modifications for four are. Many of the changes in four are significant enough that we need the employees to start following them as soon as you’re making this transition. So the sooner the training, the smoother your transition is going to end up becoming.
Duly noted now parting shots and thoughts for the folks this week, Adam. Well, you want to make, do you want as best you can, you want to try to make the PCI training enjoyable. I mentioned earlier, you know, they look forward to it like they do taxes or I don’t know, maybe get a root canal. Yeah, type of thing. You know, there’s generally not a sense of, of, you know, of fervor and excitement for the for the training. So, you know, you’ve got a lot of flexibility in the way that you train your train your employees. You know, it doesn’t have to be a dry seminar, you know, with a talking head. You know, as you’re covering material, you can do it however you want, you know, so some, some examples of ways and ways and approaches, you know, get people off site to, you know, to kind of upscale conference center or retreat center. You know, include some role playing and other active learning, you know, learning approaches, multimedia presentations, generating different games or maybe even a compliance quiz competition, you know, type of thing where people, you know, you’re not that have ever seen that got worse by someone bringing in a bunch of food, you know, so, you know, that usually will, will start to warm people up and, you know, and whatnot. You know, certainly the more engaging the training is, the more successful you’re going to be in making a connection to the personnel, having them follow the training that they’ve received and certainly the ultimate objective is, you know, for, you know, protection of, protection of the organization, you know, you want them to be in alignment with PCI but at the end of the day, you know, some organ some folks look at the training as a checkbox they need in order to check the box for PCI, I look at it, I look at it differently. I look at it from the perspective of if you train these. personnel appropriately, they become part, a huge part of the shield that helps to protect the organization. You know, you want the organization to maintain security, maintain compliance, you know, and at the same time, the better the organization and the personnel in it understands the requirements and their responsibilities, then the better and easier, you know, people will kind of pick up what they need to do. The more it will streamline their day-by-day activities because they’ll know how to do it in a, you know, secure, compliant manner. You know, and certainly we want to, you know, we want to both attain and maintain a smoothly running compliance program.
Yes, indeed. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
