NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
September 16, 2014

How to actually streamline the 6 PCI-DSS 3.0 Security Training Requirements

Justin Fimlaid Justin Fimlaid

If you've had to manage a PCI-DSS compliance framework, you know that having to manage the security awareness training requirements takes someone who is diligent and dedicated to the effort to be successful. In fact, if you've done it before you know the first "lift" to a get Security Awareness Program stood up can be a production but usually goes well because people are engaged in the novelty of the effort. However once the Security Awareness Program is established the process and routine of keeping content fresh can be sometimes be after thought especially for small Security Teams. Below I've outlined the PCI-DSS Security Awareness Program requirements with some suggestions to streamline the effort for your teams.

PCI DSS Security Training Requirement:
6.5 Address common coding vulnerabilities in software-development processes as follows:
Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.

Suggestion for streamlining--Your time is valuable and if you have a small team you probably don't have many AppSec professionals, look to a Computer Based Training (CBT) or Learning Management System (LMS) system to deliver secure coding training. Companies such as Cigital offer up to date CBT training on secure coding.

9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices.
• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

Suggestion for streamlining--Same as 6.5 above, look to CBT's or LMS's if you can, such as Wombat Security.   Alternatively, I've seen canned security awareness training content delivered successfully by HR or Education staff during new hire orientation.

12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
12.6.1 Educate personnel upon hire and at least annually.
12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.

Suggestion for streamlining--If you can leverage the team responsible for onboarding new employees to deliver new hire security training. To track annual policy user attestations and certification tools such as Lockpath Keylight Compliance Manager will help to automate these processes.

12.10.4 Provide appropriate training to staff with security breach response responsibilities.

Suggestions for streamlining--This one is tough to streamline and still do it right. Most Incident Response teams will conduct tabletop exercises with a cross functional core team responsible for being the point of contact and quarterbacking the response within their respective teams. While challenging to streamline, you can each member of the core team bring an actual incident they faced or one they are worried about to the table top exercise to help take some the responsibility off Security and Compliance teams to drive the table top event.

Conclusion
There's a lot of ways to approach Security Awareness and fulfill the PCI-DSS training requirements. There are a few things to keep in mind as you undertake this effort, and I suspect your budget will factor into your decision on how to build your Security Awareness Program. The one very important goal here is to establish a sustainable Security Awareness Program by reducing the overhead of program maintenance. You can reduce the overhead to internal staff of maintaining a security awareness training program via a couple ways, the first way to find a common denominator between your scope of compliance frameworks or regulations that require some form of Security Awareness (e.g. NIST 800-53, HIPAA, etc); think of it as hitting multiple requirement birds with one training stone. The next thing to consider is your time and the time of your team is valuable, probably more valuable than building training materials--companies like Cigital and Wombat Security provide computer based training (CBT) to meet various security awareness needs. It's important to find a CBT partner who keeps their content up to date with the newest threats and security techniques--once you find that CBT partner they will track user completion and success rates so when your PCI assessor asks for training records it's as simple as printing a report.

Included Topics

  • Compliance
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Compliance 4 min read
6 Requirements in PCI DSS 3.0 That You Should Plan For Read More
Compliance 4 min read
6 Changes Coming in PCI DSS 3.0 That You Should Plan For Read More
Compliance 1 min read
PCI Data Security Standard 4.0 Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.