12.6.3.2 Security awareness training includes acceptable use of end-user technologies
Defined Approach Requirements
12.6.3.2 Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.
Customized Approach Objective
Personnel are knowledgeable about their responsibility for the security and operation of end-user technologies and are able to access assistance and guidance when required.
Applicability Notes
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Defined Approach Testing Procedures
12.6.3.2 Examine security awareness training content to verify it includes awareness about acceptable use of end-user technologies in accordance with Requirement 12.2.1.
Purpose
By including the key points of the acceptable use policy in regular training and the related context, personnel will understand their responsibilities and how these impact the security of an organization's systems.
purpose
Train personnel on detecting and reporting unauthorized system use.
compliance strategies
- Training modules
- Incident reporting procedures
typical policies
- Unauthorized Use Reporting Policy
common pitfalls
- No reporting process
- No training records
type
Training/Process Control
difficulty
Low
key risks
- Delayed incident response
recommendations
- Test reporting process during training
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy