Avoiding a Checklist Approach to PCI Compliance Training

Avoiding a Checklist Approach to PCI Compliance Training

It is easy to be skeptical about PCI Compliance and the requirement to deploy Training to satisfy a checklist item. This idea that a checklist approach cannot help with security is not new. But I’d like to propose the idea that if we have an opportunity to educate teams about Security through an audit approach, there can be value-added ways to do it.

What can I gain over a checkmark item?
Before PCI Compliance, security training was not a requirement. Issues arose where staff would not understand security concepts important to the business. One area of PCI compliance aims to address is helping educate your teams around security threats that can impact your business so it is important to choose the right training for your staff.

How do I know when I see good training?
When looking to fulfill PCI training to cover OWASP and/or Security Awareness education, look for training that can easily adapt and apply to your entire organization. For enterprise-wide training, you’ll likely need to deploy it to many separate teams with people from differing backgrounds.

This poses a challenge for choosing the best compliance courses. Many vendors make assumptions as to the level of knowledge that your staff may have, but this can be a serious problem. If your OWASP course is tailored to developers, then it may be too deep for business teams, if it is tailored to business teams, developers may feel patronized and not invest in confirming concepts.

What should good training look like?
Look for modular training that is efficient with your staff’s time. Not everyone has the same training needs. People should be able to decide the level of training they need and not be forced the relearn concepts they know. At the same time remember that the goal is still to meet PCI Compliance requirements, so you’ll need to make sure that your staff are able to show that they understand the concepts through a quiz or similar tracking.

What other qualities are important?
Quality of PCI training is tough to gauge only looking at an outline. The only way to evaluate content is to see a sample of the course content. Some Computer Based Training (CBT) courses are truly checklist items that provide little value to your staff for the money. By looking at actual course content it’s easier to tell how the training will be received by your staff and teams.

If your vendor doesn’t provide a sample of the content, you should be skeptical of why. For example, are they confident in the quality of the product?

Summary of things to look for:

  • Is the training adaptable to multiple roles in my organization?
  • Is the training modular enough that people don’t need to re-learn existing concepts?
  • What is the quality and engagement level of the content? Can I see my team actually deriving business benefit rather than simply satisfying an audit requirement?