12.6.1 A formal security awareness program is implemented
Defined Approach Requirements
12.6.1 A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data.
Customized Approach Objective
Personnel are knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required.
Defined Approach Testing Procedures
12.6.1 Examine the security awareness program to verify it provides awareness to all personnel about the entity's information security policy and procedures, and personnel's role in protecting the cardholder data.
Purpose
If personnel are not educated about their company's information security policies and procedures and their own security responsibilities, security safeguards and processes that have been implemented may become ineffective through unintentional errors or intentional actions.
purpose
Establish a formal security awareness program for all personnel.
compliance strategies
- Annual security awareness training
- Ongoing security updates
typical policies
- Security Awareness Program Policy
common pitfalls
- No training records
- One-time training only
type
Training/Process Control
difficulty
Low
key risks
- Uninformed personnel increase risk
recommendations
- Use LMS for tracking and reminders
Eligible SAQ
- SAQ-A-EP
- SAQ-B
- SAQ-B-IP
- SAQ-C
- SAQ-C-VT
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy