Question on LinkedIn PCI message board; What challenges members are currently facing in achieving or sustaining levels of Employee Awareness required for PCI DSS and the solutions they are employing.
Awareness has to be mandatory and it has to be short, in plain English and you have to try to add value to it, that way the audience feels like actually listening to it. Hook up with marketing for help in that area.
Since PCI requires this (no Gray area here) I split my awareness into 2 separate buckets. What I did was manage corporate users (most of which all use computers) and retail/restaurant staff (which do not use computers excluding management) separately.
For corporate, I first partnered with marketing to create a online presentation with both audio and video that spoke to our our corporate policy regarding approved and prohibited credit card information management (Do’s and Dont’s). After that I then partnered with my HR department to add this presentation to their annual corporate polices and procedures awareness program.
This program requires all corporate employees to watch a online video presentation about corporate policies, and requires management sign-off. My presentation is roughly 2 minutes long, in english common Joe blow language, not compliance or I.T. geek language.
For staff in the field, wait staff, management, I used my corporate “Credit Card Information Management” policy and required them to sign the policy annually. This covered 2 PCI requirements in one shot. I would like to note that I require all staff, even kitchen staff, that way I don’t miss anyone,also they may transfer job roles.
I also had my HR add it to there new hire paperwork, so that all new employees wherever they may be sign it upon hiring.
