Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance. 


In this article, we will learn how we can achieve PCI-DSS compliance through security awareness training. We will also discuss some of the requirements of PCI-DSS that depend completely on end-user responsibilities and security awareness.

Due to lack of education and awareness about payment security, employees often leave security holes in their developed applications by not following best security practices in coding, picking up weak passwords, and sharing company information on public and social platforms.

Security Awareness was one of the key drivers of PCI-DSS 3.0. The PCI-DSS community focuses more on the education and security awareness around payment security in 3.0. PCI-DSS 3.0 has incorporated requirements such as 12.6 which states:

“Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security”

This requirement emphasized the fact that personnel should be trained at least annually about the security policies in place. This is because the security controls implemented may become ineffective over time, or in case a mistake or intentional action is taken by personnel. This requirement also states that employee provide a written or electronic acknowledgement to Human Resources that they understood the policies and procedures in place, as well as a statement that they will adhere to them.

An organization’s Security Awareness Program should (at the minimum):

  • Inform users about the sensitivity of the credit card data. In addition, what part of the credit card is sensitive data, and how it should be handled. For example, what data should be stored and what data cannot be stored even encrypted.
  • Developers should be trained regarding secure coding practices.
  • Train users on organizational security policies and standards.
  • Train staff about the all the actors of the PCI-DSS compliance lifecycle.

Organizations should conduct security awareness programs to make sure that personnel are aware of the implemented polices and adhere to them. Below is a list of some of the requirements in PCI-DSS 3.0 that asks for user awareness and how organizations can achieve it through security awareness program:

  • Requirement 6.5 states:

Address common coding vulnerabilities in software-development processes as follows:

  • Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
  • Develop applications based on secure coding guidelines.”

This requirement focuses on securing web applications. Organizations can achieve this requirement by making their developers aware of OWASP Top 10, SANS Top 25 etc. It is a very critical requirement for the organizations to fulfill because an error in front end web applications can make the whole network security deployment useless.

  • PCI-DSS also takes in to account that personnel should be trained to handle an incident if a breach occurs. As per requirement 12.10.4:
    • “Provide appropriate training to staff with security breach response responsibilities”.

Organizations should train the IRT individuals how to handle the incident. This can be done by making users aware of the criticality of data and by conducting demo incident exercise with individuals. If personnel are trained how to react if a breach occurs, it will help organizations to conduct post-incident investigations successfully.

  • Another aspect that PCI-DSS addresses is the fact that passwords are often compromised because a lack of awareness on the users’ part regarding their passwords. Various breaches revealed that passwords set by admins are insecure passwords such as ‘password123’ or ‘admin’. Hence the requirement:
    • “Document and communicate authentication procedures and policies to all users including:
      • Guidance on selecting strong authentication credentials
      • Guidance for how users should protect their authentication credentials
      • Instructions not to reuse previously used passwords
      • Instructions to change passwords if there is any suspicion the password could be compromised.”

Organizations should make sure that users are aware of the password policy. This can be done through banners, emails and a time limit to change the password. This requirement focuses on personnel training, guidance around payment security, guidance for selecting and protecting authentication credentials, instructions to change passwords in case of any suspicion detected, etc. Frequent password changes by educated users and not reusing the same password again will make the attacks on the cardholder data environment bit more difficult.

  • The PCI-DSS council has gone a step ahead and also focuses on major sales points where card data is processed for example, the POS terminals and brings these terminals under scope, as attacks on POS devices like cloning, addition of card skimmers, etc. are on a high. Requirement 9.9 which is to

Protect devices that capture card data via direct physical interaction with the card from tampering and substitution

is added to address the POS threat challenge. This requirement will now make organizations maintain an up-to date list of devices deployed at various sites. This list will contain information about POS devices such as:

  • Unique serial number of the device
  • Make and model of device
  • Location details at which it is deployed.

Security Awareness

This requirement also focuses on providing training for end-personnel to be aware about the attempted tampering or replacement of authentic POS devices. Organizations need to conduct periodic reviews of devices to check for any evidence of substitution or tampering.

  • Requirement 9 of PCI-DSS discusses “Restricting Physical access to cardholder data”. Organizations can achieve this full-fledged requirement by making sure that :
    • Appropriate security controls are put in place and users are aware of the restricted areas.
    • Users should be encouraged to report for activities like tailgating etc.
    • Users should be made aware about any change in the underlying security policy.
    • Access to critical systems should be provided on need basis only.

So what we can see that security awareness has become the crux to achieve the PCI-DSS compliance because it does not matter how many controls an organization can put in place as a simple error either by mistake or intentional from user can strip a PCI-DSS compliance status.