WithPCI Logo
WithPCI.com

12.6.3 Personnel receive security awareness training

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

12.6.3 Personnel receive security awareness training as follows:

  • Upon hire and at least once every 12 months.
  • Multiple methods of communication are used.
  • Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures.

Customized Approach Objective

Personnel remain knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required.

Defined Approach Testing Procedures

12.6.3.a Examine security awareness program records to verify that personnel attend security awareness training upon hire and at least once every 12 months.

12.6.3.b Examine security awareness program materials to verify the program includes multiple methods of communicating awareness and educating personnel.

12.6.3.c Interview personnel to verify they have completed awareness training and are aware of their role in protecting cardholder data.

12.6.3.d Examine security awareness program materials and personnel acknowledgments to verify that personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures.

Purpose

Training of personnel ensures they receive the information about the importance of information security and that they understand their role in protecting the organization.

Requiring an acknowledgment by personnel helps ensure that they have read and understood the security policies and procedures, and that they have made and will continue to make a commitment to comply with these policies.

Good Practice

Entities may incorporate new-hire training as part of the Human Resources onboarding process. Training should outline the security-related "dos" and "don'ts." Periodic refresher training reinforces key security processes and procedures that may be forgotten or bypassed.

Entities should consider requiring security awareness training anytime personnel transfer into roles where they can impact the security of cardholder data and/or sensitive authentication data from roles where they did not have this impact.

Methods and training content can vary, depending on personnel roles.

Examples

Different methods that can be used to provide security awareness and education include posters, letters, web-based training, in-person training, team meetings, and incentives.

Personnel acknowledgments may be recorded in writing or electronically.

Sub-Requirements

purpose

Train personnel on security responsibilities annually.

compliance strategies

  • Annual security training
  • Role-based modules

typical policies

  • Security Training Policy

common pitfalls

  • Missed annual training
  • No role-specific content

type

Training/Process Control

difficulty

Low

key risks

  • Personnel unaware of obligations

recommendations

  • Automate training reminders and tracking

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy