According to 12.6, awareness methods should vary based on what?

• A. All staff receive identical training.
• B. The role and access level determine awareness methods.
• C. Only IT staff receive training.
• D. Awareness training is optional.

Answer: (B)

Awareness methods must be tailored to each person's role and level of system access. PCI DSS requirement 12.6 recognizes that different job functions carry different risks and require different depths of training. People who handle cardholder data or have privileged access need more detailed, technically oriented training and targeted reminders, while others with limited access benefit from general security awareness tied to their daily duties. A one-size-fits-all approach would miss role-specific risk points and reduce the effectiveness of the program. Training being optional would fail to meet the requirement for an ongoing awareness program, and teaching everyone the same content regardless of role ignores the varying threat landscapes across duties.