Education for Personnel
As part of your security awareness program, PCI Requirement 12.6.1 asks that you educate personnel upon hire and at least annually. The PCI DSS recognizes that if your security awareness program does not include periodic refreshers or training, key security policies and procedures may be forgotten or circumvented, which could result in exposed or at-risk critical resources and cardholder data.
This education could be different for every employee or department, depending on their role and level of access to cardholder data. To verify compliance with PCI Requirement 12.6.1, an assessor will review your security awareness program and will also likely interview a sample of your personnel to see if they understand their responsibilities and cardholder data security policy and procedures.
PCI Requirement 12.6.1 requires that we educate personnel upon hire and at least annually. The annual clause is there because you’re going to be amending, updating, or reviewing your policies at least annually, so to meet that requirement of making sure that your staff understands what those policies are, they need to be going through that policy and annual security awareness training program. Your assessor is going to be looking for evidence of that.