PCI DSS 12.6.1: Security Awareness Program Requirements
A formal security awareness program is foundational to PCI DSS compliance—it transforms your entire team into active participants in cardholder data protection. Without clear policies and training, even robust technical controls fail when employees don't understand their responsibilities. Control 12.6.1 requires organizations to establish and maintain documented security awareness initiatives that reach all personnel handling payment card data.
What this means
This control mandates that you create a structured, organization-wide security awareness program. Rather than ad-hoc training, you need formal documentation outlining information security policies, expectations, and each role's specific responsibilities in protecting cardholder data. The program must be measurable, regularly communicated, and tailored to different job functions. It establishes accountability for security as a shared responsibility across your organization.
How to comply
- 1.Document your formal security awareness program in a written policy that covers all personnel roles and responsibilities
- 2.Define specific training requirements based on job function and access level to cardholder data
- 3.Deliver initial security awareness training to all new employees before they handle cardholder data
- 4.Conduct annual refresher training for all personnel with documented evidence of completion
- 5.Include topics such as acceptable use, password management, incident reporting, and social engineering awareness
- 6.Measure program effectiveness through testing (phishing simulations, quizzes, or assessments)
- 7.Document participation rates, test results, and any corrective actions taken
- 8.Update training materials annually or when policies change
Evidence auditors look for
- Security awareness policy document signed by management
- Training curriculum and materials for different role-based groups
- Employee training attendance records with dates and signatures
- Pre- and post-training assessment scores
- Phishing simulation campaign results and employee response metrics
- Annual training completion checklists by department
- Training effectiveness survey results
- Incident reports showing awareness of proper escalation procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates security awareness program tracking by centralizing training records, scheduling annual refresher reminders, documenting completion evidence, and generating audit-ready compliance reports—eliminating manual spreadsheet management and ensuring no employee slips through the cracks.
See how GRCWatch handles this control automatically
Start free trial