PCI Requirement 12.6.2 – Require Personnel to Acknowledge at Least Annually That They Have Read and Understood the Security Policy and Procedures

by Sarah Harvey / March 8, 2023

 Acknowledgement of Security Policy and Procedures As part of your security awareness program, PCI Requirement 12.6.2 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures. There should be some type of evidence to show that your personnel have read and understood security policies and procedures; this could be in writing or electronic. The PCI DSS guidance explains, “Requiring an acknowledgement…

PCI Requirement 12.6.1 – Educate Personnel Upon Hire and at Least Annually

by Randy Bartels / April 5, 2023

 Education for Personnel As part of your security awareness program, PCI Requirement 12.6.1 asks that you educate personnel upon hire and at least annually. The PCI DSS recognizes that if your security awareness program does not include periodic refreshers or training, key security policies and procedures may be forgotten or circumvented, which could result in exposed or at-risk critical resources and cardholder data. This education could be different for…

PCI Requirement 12.6 – Implement a Formal Security Awareness Program to Make All Personnel Aware of the CHD Data Security Policy and Procedures

by Randy Bartels / April 5, 2023

 Developing a Security Awareness Program PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. Without compliance with this requirement, how would your program even work properly? If personnel are not educated and aware of their security responsibilities, security safeguards and processes that you’ve worked hard to develop and implement may become ineffective…

PCI Requirement 12.5.5 – Monitor and Control All Access to Data

by Randy Bartels / April 5, 2023

 Someone to Monitor and Control All Access to Data PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it? Without someone formally responsible for monitoring and giving access to cardholder data, that data does not have the protection it needs. Throughout the PCI DSS, it talks about key management, data custodians, and giving access based on a…

PCI Requirement 12.5.4 – Administer User Accounts, Including Additions, Deletions, and Modifications

by Randy Bartels / December 22, 2022

 Someone to Administer User Accounts In PCI Requirement 8.1.2, we learned there must be a formal program of control for additions, deletions, and modifications of user IDs and other credentials. This ties right in with PCI Requirement 12.5.4, which states there must be someone assigned to administer user accounts, including additions, deletions, and modifications. Think about all of the additions, deletions, and modifications that has occurred within your organization…