GRCWatch
Sign inStart free trial

PCI DSS 12.2.1: Define Acceptable Use Policies for End-User Technologies

Acceptable use policies (AUPs) are your first line of defense against insider threats and careless security violations. PCI DSS 12.2.1 requires documented policies that clearly define what employees can and cannot do with company technology. Without clear guidelines, your team becomes a compliance liability and a breach risk.

What this means

This control requires you to create and enforce written policies that specify acceptable uses of end-user technologies—including computers, mobile devices, email, internet access, and removable media. These policies must be documented, distributed to all users, and actively enforced across your organization to ensure consistent security behavior and reduce the risk of data compromise.

How to comply

  1. 1.Draft comprehensive acceptable use policies covering all end-user technologies including computers, laptops, mobile devices, USB drives, and cloud applications
  2. 2.Clearly define prohibited activities such as downloading unauthorized software, accessing personal accounts on work devices, and sharing credentials
  3. 3.Specify consequences for policy violations, from warnings to termination, to ensure accountability
  4. 4.Distribute policies to all employees and contractors in writing, requiring signed acknowledgment of receipt and understanding
  5. 5.Integrate policies into onboarding processes so new hires receive and acknowledge them before system access
  6. 6.Conduct annual policy reviews and updates to address emerging technologies and threats
  7. 7.Monitor and audit compliance through user activity logs, endpoint monitoring, and periodic audits
  8. 8.Train employees on policy requirements and the security reasoning behind them to encourage buy-in

Evidence auditors look for

  • Signed acceptable use policy acknowledgments from all employees and contractors
  • Documented policy versions with dates showing annual reviews and updates
  • Employee onboarding checklists confirming AUP training and acknowledgment
  • Endpoint monitoring logs showing policy enforcement on company devices
  • Training records documenting delivery of AUP training to staff
  • Incident reports documenting policy violations and disciplinary actions taken
  • Audit reports showing regular compliance reviews of AUP adherence

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates acceptable use policy distribution, tracks signed acknowledgments, and monitors policy acceptance across your entire workforce—eliminating manual tracking and proving compliance in audits within minutes.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.2.2 — Acceptable Use Policies for Unattended User DevicesPCI DSS 12.3 — Information Security Policies and ProceduresPCI DSS 12.6 — Security Awareness Program