PCI Requirement 12.6.2 – Require Personnel to Acknowledge at Least Annually That They Have Read and Understood the Security Policy and Procedures

by Sarah Harvey / July 3rd, 2018

Acknowledgement of Security Policy and Procedures

As part of your security awareness program, PCI Requirement 12.6.2 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures. There should be some type of evidence to show that your personnel have read and understood security policies and procedures; this could be in writing or electronic. The PCI DSS guidance explains, “Requiring an acknowledgement by personnel in writing or electronically helps ensure that they have read and understood the security policies/procedures, and that they have made and will continue to make a commitment to comply with these policies.”

To verify compliance with PCI Requirement 12.6.2, an assessor will examine your documentation or evidence of acknowledgement from personnel.

PCI Requirement 12.6.2 requires that after your staff has attended their annual security awareness training or their new employee orientation training, they have read and actually understood the policies. One of the things we do from an assessment perspective is that we ask for evidence of that. Signing off that they’ve read and they’ve understood the policies can either be electronic or in writing – it makes no difference. What we’re looking for is that staff truly understands what the policies are.

As part of your policy documentation program, one of the things that I recommend is writing the policies or developing the policies in such a state that the average layman user can truly understand them. If you lawyer-up your policies and you put all of this HR information in there, you’re kind of dumbing down the purpose of what they’re about. They’re really meant as an educational document that defines how you want your business run. Your staff needs to be aware of what that looks like.