Sep 02, 2015
Compliance with PCI Digital Security Standards is a priority for most large organisations. In addition to the legal ramifications of compliance, it's essential to thwart malicious third-parties, and protect the loss and theft of sensitive data - and safeguard the customers it belongs to. With that in mind, we're drawing upon the findings of a global survey into the roles of over 3,000 IT professionals, and the state of PCI compliance in their organisations. The survey's findings have identified 7 key drivers of effective PCI compliance training - and following each of these principles, you can ensure your own organisation does everything possible to protect card and cardholder data.
1) Tailor Training Content to Different Roles
Every job function and role within your organisation will engage with payment information in a different way. Whilst it's essential for information to be protected at every level of the organisation, differing job roles will require different types of training to ensure that protection.Whilst an IT team will need regular technical training, front line employees will benefit from a more streamlined (and perhaps less frequent) approach to training. This type of role-specific training is an essential tenet of effective security education.
2) Deliver Training Via CBT
In addition to content customisation, it's important to choose a learning platform that's tailored to the needs of participants.Classroom training can be disruptive, requiring employees to take hours and days away from their current responsibilities. In most instances, it's easier to engage employees with computer-based training (CBT); bolstering easily-accessible eLearning modules with additional instructor-led training where circumstances dictate.
3) Minimise the Length of Individual Training Sessions
CBT makes it possible to minimise the length of individual training sessions. Instead of asking participants to relinquish whole days of their time, training can be accomplished in short, manageable increments of ~30 minutes.There's no need to overload employees with an abundance of information in a single session, and content can be delivered in smaller bursts - making training easier to complete, easier to remember, and easier to act upon.
4) Update the Curriculum Every Year
Data security is a highly dynamic issue, with changes to technology, external security standards and internal security policies creating a need to regularly update training. For employees that engage with PCI compliance in a technical environment, this need is greatly amplified - and PCI training needs a process to enable regular updates, and easy dissemination of new information.
5) Procure Training from a Third-Party Vendor
Developing a comprehensive PCI DSS compliance training program in-house requires a huge amount of resources, skills and expertise. For most organisations, the costs and time requirements of this approach are impractical - and in these instances, employees are better served by engagement with a third-party security training vendor.To learn more about choosing a suitable vendor for your organisation, you can read our blog post: What to Look for When Selecting a Third-Party Security Training Vendor.
6) Improve Future Training By Gathering Participant Feedback
Effective training is an iterative process. By regularly collecting feedback from participants, future training courses can be shaped to offer improved efficacy - and with only 58% of employees satisfied with the current state of PCI compliance training, there's a very real need for improvement.Collecting feedback doesn't need to be complex or costly - and simple participant surveys and multiple-choice questionnaires can be enough to shape the direction of future training in a positive way.
7) Measure Long-Term Effectiveness
In most organisations, PCI compliance is regarded as a simple box checking exercise - resulting in as few as 35% of organisations tracking the long-term effectiveness of their PCI compliance training.Instead of viewing PCI training as a simple cost, it should be viewed as an opportunity to improve your organisation's security, and a way to reduce the costs and damages associated with data breaches and data loss. By measuring long-term effectiveness, you can demonstrate the real-world benefits of PCI training, in terms of reduced costs and measurable ROI.To learn how to roll out an effective security training program, from PCI compliance through to developer security training, download our free whitepaper below.