Developing a Security Awareness Program
PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. Without compliance with this requirement, how would your program even work properly? If personnel are not educated and aware of their security responsibilities, security safeguards and processes that you’ve worked hard to develop and implement may become ineffective through intentional or unintentional actions.
An assessor wants to see that your personnel can operate in your environment securely. To verify compliance with PCI Requirement 12.6, they will want to review your security awareness program and what type of training you provide. An assessor will also likely interview a sample of your personnel to see if they understand their responsibilities and cardholder data security policy and procedures.
PCI Requirement 12.6 requires that you implement a security awareness training program. There are many things that we look for in this program. We look for the fact that you are training your staff about how to carry out the actions within your environment securely; we’re not just necessarily looking for training them on the PCI DSS, though. Really what we’re looking for is if they can operate your environment securely. So, your security awareness training program is called out in PCI Requirement 12.6, and your assessors are going to be looking and asking for a copy of that information or at least to observe that information to see what you’re actually training for.