Framework № PCI DSS 4.0 от 01.03.2022

12.6.1
Defined Approach Requirements: 
A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.  

Customized Approach Objective:
Personnel are knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required. 

Defined Approach Testing Procedures:

Purpose:
If personnel are not educated about their company’s information security policies and procedures and their own security responsibilities, security safeguards and processes that have been implemented may become ineffective through unintentional errors or intentional actions. 

12.6.2
Defined Approach Requirements: 
The security awareness program is: 

Customized Approach Objective:
The content of security awareness material is reviewed and updated periodically. 

Applicability Notes:
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
The threat environment and an entity’s defenses are not static. As such, the security awareness program materials must be updated as frequently as needed to ensure that the education received by personnel is up to date and represents the current threat environment. 

12.6.3
Defined Approach Requirements: 
Personnel receive security awareness training as follows:

Customized Approach Objective:
Personnel remain knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required. 

Defined Approach Testing Procedures:

Purpose:
Training of personnel ensures they receive the information about the importance of information security and that they understand their role in protecting the organization. 
Requiring an acknowledgment by personnel helps ensure that they have read and understood the security policies and procedures, and that they have made and will continue to make a commitment to comply with these policies. 

Good Practice:
Entities may incorporate new-hire training as part of the Human Resources onboarding process. Training should outline the security-related “dos” and “don’ts.” Periodic refresher training reinforces key security processes and procedures that may be forgotten or bypassed. 
Entities should consider requiring security awareness training anytime personnel transfer into roles where they can impact the security of account data from roles where they did not have this impact. 
Methods and training content can vary, depending on personnel roles. 

Examples:
Different methods that can be used to provide security awareness and education include posters, letters, web-based training, in-person training, team meetings, and incentives. 
Personnel acknowledgments may be recorded in writing or electronically. 

12.6.3.1
Defined Approach Requirements: 
Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including but not limited to:

Customized Approach Objective:
Personnel are knowledgeable about their own human vulnerabilities and how threat actors will attempt to exploit such vulnerabilities. Personnel are able to access assistance and guidance when required. 

Applicability Notes:
See Requirement 5.4.1 for guidance on the difference between technical and automated controls to detect and protect users from phishing attacks, and this requirement for providing users security awareness training about phishing and social engineering. These are two separate and distinct requirements, and one is not met by implementing controls required by the other one. 
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
Educating personnel on how to detect, react to, and report potential phishing and related attacks and social engineering attempts is essential to minimizing the probability of successful attacks. 

Good Practice:
An effective security awareness program should include examples of phishing emails and periodic testing to determine the prevalence of personnel reporting such attacks. Training material an entity can consider for this topic include:

An emphasis on reporting allows the organization to reward positive behavior, to optimize technical defenses (see Requirement 5.4.1), and to take immediate action to remove similar phishing emails that evaded technical defenses from recipient inboxes. 

12.6.3.2
Defined Approach Requirements: 
Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1. 

Customized Approach Objective:
Personnel are knowledgeable about their responsibility for the security and operation of enduser technologies and are able to access assistance and guidance when required. 

Applicability Notes:
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. 

Defined Approach Testing Procedures:

Purpose:
By including the key points of the acceptable use policy in regular training and the related context, personnel will understand their responsibilities and how these impact the security of an organization’s systems.