GRCWatch
Sign inStart free trial

PCI DSS 12.6.3.2: Acceptable Use in Security Training

Acceptable use training closes a critical gap between policy and practice—employees need clear guidance on what they can and cannot do with company technology. PCI DSS 12.6.3.2 requires that all security awareness training explicitly covers acceptable use of end-user technologies. This control prevents unauthorized access, data misuse, and compliance violations by establishing baseline behavioral expectations.

What this means

Security awareness training must include specific instruction on the acceptable use of end-user technologies such as computers, mobile devices, email, and internet access. This means your training curriculum should clearly communicate what constitutes appropriate versus inappropriate use, including policies on personal use, file sharing, public Wi-Fi connections, and remote access. The control ensures that all workforce members understand boundaries around company technology before they have access to cardholder data environments.

How to comply

  1. 1.Document your acceptable use policy covering all end-user technologies including computers, phones, tablets, email, and internet
  2. 2.Integrate acceptable use topics into mandatory security awareness training curriculum
  3. 3.Specify prohibited activities such as downloading unauthorized software, sharing credentials, and accessing personal accounts on company devices
  4. 4.Define consequences for policy violations and ensure employees acknowledge understanding in writing
  5. 5.Deliver annual refresher training on acceptable use requirements to all workforce members
  6. 6.Track training completion and maintain records for audit demonstration

Evidence auditors look for

  • Acceptable Use Policy document signed and distributed to all employees
  • Security awareness training curriculum outline showing acceptable use module content
  • Training completion records with dates and attendee names
  • Employee acknowledgment forms signed confirming understanding of acceptable use
  • Annual training refresher materials covering acceptable use updates
  • Training assessment results demonstrating comprehension of acceptable use guidelines

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates acceptable use training assignment and tracks completion status in real-time, generating audit-ready evidence reports that satisfy PCI DSS 12.6.3.2 documentation requirements without manual spreadsheet management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.6.1 — Security Awareness ProgramPCI DSS 12.6.2 — Periodic Security TrainingPCI DSS 12.6.3 — Security Training TopicsPCI DSS 8.1 — User Identification