12.6.1 Educate personnel upon hire and at least annually.
Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.
12.6.1.a Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web-based training, meetings, and promotions).
12.6.1.b Verify that personnel attend security awareness training upon hire and at least annually.
12.6.1.c Interview a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security.
If the security awareness program does not include periodic refresher sessions, key security processes and procedures may be forgotten or bypassed, resulting in exposed critical resources and cardholder data.