Don’t Forget to Add Common Sense to Your PCI Compliance Efforts

Don’t Forget to Add Common Sense to Your PCI Compliance Efforts

Harriett Beecher Stowe once wrote that “Common sense is the knack of seeing things as they are, and doing things as they ought to be done.”  

Most of us take a common sense approach to everyday life.  For example, before leaving for work in the morning, we unplug the iron and lock the front door.  That reduces the chance of burning down the house or having someone steal your stuff.   You don’t need a reminder…it’s just common sense.

So why is it so different with information security?  There’s a tendency for companies to put all their focus on implementing the latest security technology and not enough focus on common sense preventative measures.  

This is especially true with retail merchants who handle credit cards.  The best PCI compliant, point-of-sale system can’t prevent a data breach caused by employee negligence.  For example, an employee who tapes their system access passwords to their PC monitor is just inviting theft from a cleaning person or contractor.  A critical component of security is good old fashioned common sense.  Business owners and IT leaders need to make sure that employees understand the role they play in preventing data theft. 

Employee Security Awareness Training is a PCI Requirement

Many retail merchants aren’t aware that employee training on information security is actually a PCI requirement.  Besides just being a good idea, employee security training is addressed in Section 12.6 of the PCI data security standard (DSS).  That provision requires employers to verify that “employees attend awareness training upon hire and at least annually.”

6 Topics to Cover in Employee Security Awareness Training

So you may be wondering what the average employee needs to know.  After all, isn’t the IT person supposed to worry about PCI compliance?    Here’s a list of 6 topics to cover with every employee on at least an annual basis:

• What is sensitive information?  Aside from the obvious categories of customer credit card and social security numbers, many employees don’t realize the intellectual property such as price lists, product descriptions, marketing plans, and financial reports are also frequent targets of theft and their loss can have devastating effects on the company. 
  
  
• Methods used by outsiders to steal sensitive information.  Low tech dumpster diving, or going through the trash, are still the top ways sensitive information is stolen.   Other vulnerabilities include leaving reports laying around a workspace and not locking file cabinets.  Employees need to be reminded about how to properly dispose of and secure documents.
  
  
• Storing information.  The single biggest way that companies lose sensitive data is by having the data somewhere it shouldn't have been in the first place. People take it off the network and put it on a laptop computer, even though they don't need it. When that laptop computer is lost, the data is lost with it. So one of the things you need to think about when you are using your computer is, “Do I need this information to be portable?”  Employees should also be taught to ask themselves questions like, “Do I need to make a copy, and am I authorized to make a copy?”  More than half of data breaches are the result of lost laptops, lost thumb drives, or lost portable media.
  
  
• Weak passwords.  Employees need to understand how easy it is for cyber criminals to crack weak passwords.  Some internal systems aren’t set up to require strong passwords.  Most people “get the concept” of what a strong password is after just a few minutes of conversation.  It’s well worth having that conversation.
  
  
• Dangers of peer-to-peer file sharing networks.  Employees need to understand that services like Kazaa and LimeWire are frequently used to distribute key loggers that can capture every single keystroke that you write.  It’s best to ban the use of peer-to-peer programs.  If that’s not feasible, at least educate employees on the risks so that precautions can be taken.
  
  
• Dangers of email.  One of the biggest problems companies have is that they transmit sensitive information by email. Email often bounces around before it gets to its intended recipient and it's not secure.  Employees need to be reminded that deleting email frequently doesn't remove it.  Other risks include links and attachments.  These can launch a virus or worm which can cost the company hundreds of millions of dollars and expose sensitive data.   Employees should be taught to not clink on an email link unless they know for sure that they are going to a known web page.

Helpful links:

https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.doc (PCI DSS Requirements)

https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary_v1-1.pdf (PCI Glossary)

http://www.anx.com/content/solutions/managed-security-services/pci-compliance-solution-for-retail/officescreen-pci-solution (ANX OfficeScreen PCI Solution)