If your business processes credit card payments, then you probably know what PCI compliance is and you are most likely required to become PCI DSS (Payment Card Industry Data Security Standard) compliant. In short PCI DSS compliance is a standard set up by major credit card companies to keep payments secure and reduce the likelihood of identity theft.
The task of gaining PCI DSS compliance can be a bit daunting and there is a long list of requirements to become compliant. There are probably a million different things running through your mind as you prepare for your audit. We’d like to show you how cybersecurity training can help fulfill part of the compliance. Read on to learn about what being PCI DSS really means and how the Adversary security training platform can help.
So what does it mean to be PCI DSS compliant?
PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
How do I know if my company should be PCI DSS compliant?
If your company processes, stores or transmits credit card data you are required to become PCI compliant according to the PCI Compliance Security Standard Council. PCI compliance was originally created by credit card companies as a way to make online transactions secure and protect them from identity theft.
How can Adversary help you become PCI DSS compliance?
There are a lot of different requirements you will need to meet to become PCI DSS compliant, however, there is one of them in particular that Adversary can help you meet. That requirement is 6.5, which is as follows:
“Address common coding vulnerabilities in software-development processes as follows:
The PCI DSS proceeds to list ten different vulnerabilities that developers need to be able to identify, combat, and prevent in order to fulfill this requirement of the standards. However, the standards note that these vulnerabilities were relevant when this most recent version (2018) was published. Industry best practices for vulnerability management are updated regularly, so the current best practices must be used for these requirements.
So who decides the industry best practices?
There is no one clear authority on who decides the most common coding vulnerabilities. The PCI DSS does, however, list a few examples to give you an idea of what they are looking for; the OWASP Guide, SANS CWE Top 25, and CERT Secure Coding. Here at Adversary, we base our training material on the OWASP Guide and the OWASP Top 10 list that is regularly released. We also constantly add new content to address the latest vulnerabilities.
How does the Adversary training platform help with this?
If you are looking to fulfill requirement 6.5 by using the Adversary training platform, then we strongly recommend you have your developers solve all our available labs, but we also have a list of recommended content for your team to complete based on the vulnerabilities listed in the PCI DSS (2018).
We at Adversary cannot guarantee that you will pass this part of the audit even if your developers solve all the labs.
How can I show my auditor that my developers have completed the training I assigned them?
Adversary offers reports in our detailed supervisor interface, which is an easy way of showing your auditor that the developers have finished their assigned training. On top of that, you can create specific campaigns for your team to complete in Adversary. We recommend creating a specific PCI campaign for your developers in order to get more detailed reports.
The standards say I should train my development teams annually at least
Our platform is sold as a yearly subscription. One of the reasons for our SaaS business model is that we believe that security training is not a one time thing, but continuous. We are always adding new content to keep users engaged and to cover the latest vulnerabilities. This makes it easy for you to continue using Adversary to train your developers annually for PCI DSS compliance. Not only that, but employees come and go and it’s important that new employees get up to speed quickly in their security knowledge both for compliance purposes and to reduce the likelihood of your company being breached. Even if you have some developers that love the platform so much that they complete the new labs the minute they’re released, it’s important to always refresh our knowledge.
To use Adversary for many years to come, simply continue to use the supervisor end to prove that your developers are undergoing annual training. This way, you have continuous training and won't need to worry about switching training platforms.
We hope this gives you some insight into PCI DSS compliance and how the Adversary training platform can help fulfill part of it.
Want to see how it works?
Sign up for a trial and get 5 missions for free or request a demo below if you'd like to get a more in-depth demo and understand the ins and outs of our supervisor interface and receive a quote.