Acknowledgement of Security Policy and Procedures
As part of your security awareness program, PCI Requirement 12.6.2 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures. There should be some type of evidence to show that your personnel have read and understood security policies and procedures; this could be in writing or electronic. The PCI DSS guidance explains, “Requiring an acknowledgement by personnel in writing or electronically helps ensure that they have read and understood the security policies/procedures, and that they have made and will continue to make a commitment to comply with these policies.”
To verify compliance with PCI Requirement 12.6.2, an assessor will examine your documentation or evidence of acknowledgement from personnel.
PCI Requirement 12.6.2 requires that after your staff has attended their annual security awareness training or their new employee orientation training, they have read and actually understood the policies. One of the things we do from an assessment perspective is that we ask for evidence of that. Signing off that they’ve read and they’ve understood the policies can either be electronic or in writing – it makes no difference. What we’re looking for is that staff truly understands what the policies are.
As part of your policy documentation program, one of the things that I recommend is writing the policies or developing the policies in such a state that the average layman user can truly understand them. If you lawyer-up your policies and you put all of this HR information in there, you’re kind of dumbing down the purpose of what they’re about. They’re really meant as an educational document that defines how you want your business run. Your staff needs to be aware of what that looks like.



Human error is often the weakest link in a security system, and the same is true for cloud environments. How did your data get into the cloud? Think of all the ways that an employee, user, or vendor interacts with your cloud – someone has to put data in the cloud, someone manages it, and someone accesses it. Each of these touchpoints is an opportunity for an insecure process, but remote cloud audits won’t be able to catch those vulnerabilities. An auditor needs to see how employees complete a secure process. They need to visit your office location and examine your heating and cooling systems, your power regulation, your physical security controls. They need to interview your employees who manage vendor compliance to verify that vendor processes are secure.
