Connect with us

Hi, what are you looking for?



PCI Security Standards Council Releases Guide for Building Security Awareness Programs

The PCI Security Standards Council (PCI SSC) published guidance today aimed at helping businesses build information security awareness programs.

The PCI Security Standards Council (PCI SSC) published guidance today aimed at helping businesses build information security awareness programs.

The document, entitled ‘Best Practices for Implementing a Security Awareness Program’, offers companies recommendations for educating staff on protecting sensitive payment data.

The guidance was developed by retailers, banks and technology providers, and focuses on three key areas: assembling a security awareness team; developing appropriate security awareness content for the organization; and creating a security awareness checklist.

“The first step in the development of a formal security awareness program is assembling a security awareness team,” the paper notes. “This team is responsible for the development, delivery, and maintenance of the security awareness program. It is recommended the team be staffed with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization.”

Advertisement. Scroll to continue reading.

“Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program,” the paper continues. “The size and membership of the security awareness team will depend on the specific needs of each organization and its culture.”

Organizations should also divide employees into groups to ensure the right people are getting the right training. The training program, the paper recommends, should be tailored for three groups – all personnel, specialized roles and management.

“Management has additional training needs that may differ from the two previous areas,” according to the paper. “Management needs to understand the organization’s security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues should they occur. The security awareness level of management may also need to include an overall understanding of how the different areas fit together.”

Earlier this year, research by consulting firm Enterprise Management Associates found that more than half of the enterprise employees surveyed had not received any security or policy awareness training from their employer.

Whether it’s the POODLE attack, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk, PCI SSC Chief Technology Officer Troy Leach said in a statement.

“PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information,” he said. “This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organizations.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...