12.6 Security awareness education is an ongoing activity.
This requirement ensures that organizations implement a formal security awareness program to educate all personnel about information security policies, procedures, and their role in protecting cardholder data.
Sub-requirements:
- 12.6.1 A formal security awareness program is implemented
- 12.6.3.1 Security awareness training includes awareness of threats and vulnerabilities
- 12.6.2 The security awareness program is reviewed and updated
- 12.6.3.2 Security awareness training includes acceptable use of end-user technologies
- 12.6.3 Personnel receive security awareness training
12.6. A security awareness program is implemented.
Ensure all personnel are trained on security policies and procedures, including how to detect and report security incidents.
Key Risks
Frequently Asked Questions
How often must security awareness training be conducted?
At least annually for all personnel.
What topics should be included in training?
Policies, procedures, incident reporting, social engineering, and secure data handling.
How is training tracked?
Through learning management systems, sign-in sheets, or acknowledgment forms.
What happens if staff miss training?
They are required to complete make-up sessions before resuming sensitive duties.
How are new threats communicated?
Through ongoing awareness updates, bulletins, and refresher training.
Common QSA Questions
Can you show records of security awareness training?
Yes, we maintain logs of all training sessions and participant acknowledgments.
How are personnel trained to report incidents?
Incident reporting procedures are included in all training sessions.
How is ongoing awareness maintained?
Through periodic updates, simulated phishing, and refresher training.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy