The purpose of this SIG is to provide guidance to organizations looking to implement a formal security awareness program to satisfy PCI DSS Requirement 12.6.
Satisfying PCI DSS Requirement 12.6 requires implementation of a formal security awareness program. This often involves everything from short online modules, day long classes, or internally developed material. Each of these methods is providing a totally different level of knowledge around making personnel aware of the importance of protecting cardholder data.
There are various ways to meet the intent of the requirement leaving many organizations looking for guidance on how to develop their security awareness training.
The objectives for the Security Awareness Program SIG are to create an information supplement that includes as least the following:
- Develop best practices in organizational security awareness training for protecting cardholder data
- Develop best practices for a consistent, uniform approach to provide personnel in various roles the appropriate level of awareness training for cardholder data security
- Develop best practices on the type of content and depth of content an organization can use to train personnel to meet the intent of PCI DSS requirement 12.6
- Develop a best practices checklist to help organizations manage their awareness training and educate their personnel on the importance of cardholder data security
In accordance with the Payment Card Industry Security Standards Special Interest Groups (SIGs) Rules of Engagement, a PCI SSC representative will chair, lead and project manage the SIG’s work. This SIG chair helps drive consensus between SIG members and also helps to ensure alignment between SIG volunteer contributions and PCI SSC direction. The SIG Chair, other PCI SSC participants, and SIG members (including Participating Organizations, payment brand participants, QSAs and ASVs) will work together collaboratively to accomplish the SIG objectives.
Participation Requirements and Contact Information
SIG participation is open to any PCI Participating Organization, QSA, ASV company and PCI Council Members. Participants should allot time to attend regularly scheduled meetings as well as additional time to draft and/or review documents, in accordance with their desired level of participation. Draft and final versions of the paper will be written by SIG members and PCI SSC staff.
SIG Meetings will be chaired by Elizabeth Terry, PCI SSC Standards Project Manager.
Meeting coordination and other administrative tasks will be handled by Cynthia Revilla, SIG Program Manager, firstname.lastname@example.org.
To join this SIG and be included on future communications regarding meeting times and responsibilities, please click the ‘Register’ button on the top of this page to sign-up online.
Deliverables and Timeline
The anticipated deliverable is an Information Supplement (or similar guidance document), and the SIG effort is expected to be completed by the end of 2014.