One of the UK’s largest publishers, Trinity Mirror, is taking a pro-active approach to PCI DSS by delivering innovative online training to staff working in key departments. The aim of the training is to raise awareness and understanding of the PCI standard and get employee buy-in to adopting secure practices when processing customer data.
“As a business we need to protect our customers' confidential information – our reputation depends on that.”
Stephen Walker, IT Director, Trinity Mirror Shared Services.
The Business
Trinity Mirror is one the most recognised media brands in the country. With over 120 regional titles and five national newspapers, 40 per cent of the population will read a least one Trinity Mirror paper every week. Trinity Mirror boasts The Daily Mirror, one of the UK’s most famous national newspaper titles, and regional titles such as the Liverpool Echo and Newcastle Chronicle, together with a growing number of websites, hyperlocal / community sites and mobile sites. The Group employs over 7,000 people in more than 85 locations across the UK.
The PCI Challenge
To protect cardholder data, the payment card industry (PCI) has developed a set of standards for the secure handling of sensitive customer information. These standards define the minimum requirements for merchants and service providers who process, store, or transmit credit or debit card data. Adherence to these standards is both a contractual requirement for any business that touches cardholder data and critical to the good reputation and financial health of the business.
Trinity Mirror processes customer card data in a variety of ways. Key areas are taking payments for classified advertising either via telephone or online, and processing one-off or subscription payments for specialist publications, such as magazines and books. As a result, Trinity Mirror process card details for over 350,000 customers each year. Departments who are involved with credit and debit card data are identified as key risk areas. PCI awareness training for staff working in these departments is essential to protect cardholder data.
Scoping & Planning
Initially SAI Global worked with Trinity Mirror to produce a full information security awareness scoping report focusing on how the Group could deliver a comprehensive training programme to all employees across the group. The report highlighted PCI awareness as a key risk area, identified the audience groups that needed to be targeted and discussed the most appropriate delivery methods for training. Trinity Mirror decided to make PCI training a strategic priority.
“The scoping exercise was very worthwhile. With any project such as this you need to measure the cost against the benefits. We needed to target the parts of the business that are really affected. This exercise enabled us to identify advertising, finance and IT as key risk areas for PCI DSS Compliance and address how we raise awareness of PCI in a straightforward and engaging way.”
The Solution
SAI Global developed a bespoke web-based PCI awareness program to target key employees across Trinity Mirror. The aim of the course was to raise awareness and understanding of the PCI standard, how it affects Trinity Mirror, and to demonstrate how employees can make a difference by helping to protect cardholder data.
The course was initially road-tested on a small group of employees to get feedback and identify any issues that may need to be resolved prior to the final roll-out. The feedback was positive, and the next stage of the project was to implement the training across key departments – 1,300 employees in total.
Rolling out the Training
The IT department at Trinity Mirror worked closely with HR to identify staff in the company who required the training and to upload the information into the Learning Management System.
“We anticipated that some staff might be more resistant to the training and so we addressed this by sending out two sets of FAQs with the email invite. One of the documents provided background information on why employees need to do the training and the other covered technical FAQs to resolve any access problems that may arise i.e. browser settings etc.”
As a result, the uptake of the awareness training has been substantial. Approximately two-thirds of staff requiring training had successfully completed the course within just three months. The course was well received by staff, and one of the key success factors was the way the content was structured and delivered – making it engaging and providing greater flexibility for staff:
“All the information needed is in the course, but it isn’t long-winded. It is succinct and to the point, people can go through training, get all the key points, and understand the process in a short period. It delivers in terms of providing the message and content in manageable chunks. Employees can break the training down into sections, which is very flexible.”
Getting Senior Management Buy-in
Senior Management also played a large part in the success of the training. Meetings were arranged to brief Senior Management on the project, this helped them to understand their specific role in promoting the PCI Standard to staff and got their buy-in to helping roll-out and promote the training. Following the awareness training programme, Trinity Mirror is developing a PCI compliance programme that is backed by senior management and endorsed at Group CFO level. This helps to reinforce the importance of the PCI Standard to Trinity Mirror as a company.
“The team leaders in the advertising departments were very pro-active. They organised groups of adsales people to do the training together in teams and set aside a couple of hours on specific days to complete it. Being customer facing, they had a good level of understanding and acceptance of protecting card holder data and welcomed the training.”
Looking Ahead
Trinity Mirror plan to make the PCI awareness course available to all new starters and temporary staff working in appropriate departments. The PCI standard also requires that staff complete the training on an annual basis.
In addition, Trinity Mirror use the PCI awareness course as on ongoing resource for staff: “The training is always accessible via the web, so people can go back to it at any point, making it a great reminder tool as well.”
Key Successes
- Raised awareness of PCI and what it means to the company across three key functions; advertising, finance and IT.
- Helped to put PCI on the agenda generally.
- Brought visibility of PCI up to Director and Senior Management level.
- Helped to get buy-in to develop the full PCI Compliance programme.
Key Considerations
- Don’t underestimate the amount of time needed to import and manage employee data in the Learning Management System on an ongoing basis.
- The importance of scoping and planning to identify training needs, key audience groups to be targeted and the appropriate delivery methods.
- Set out clear objectives to enable measurement of success.
