12.6.2 The security awareness program is reviewed and updated
Defined Approach Requirements
12.6.2 The security awareness program is:
- Reviewed at least once every 12 months, and
- Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity's cardholder data and/or sensitive authentication data, or the information provided to personnel about their role in protecting cardholder data.
Customized Approach Objective
The content of security awareness material is reviewed and updated periodically.
Applicability Notes
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Defined Approach Testing Procedures
12.6.2 Examine security awareness program content, evidence of reviews, and interview personnel to verify that the security awareness program is in accordance with all elements specified in this requirement.
Purpose
The threat environment and an entity's defenses are not static. As such, the security awareness program materials must be updated as frequently as needed to ensure that the education received by personnel is up to date and represents the current threat environment.
purpose
Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
compliance strategies
- Annual acknowledgment tracking
- Automated reminders
typical policies
- Policy Acknowledgment Procedure
common pitfalls
- No acknowledgment records
- Missed annual confirmations
type
Process Control
difficulty
Low
key risks
- Staff unaware of responsibilities
recommendations
- Automate acknowledgment with digital signatures
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy