Which statement is correct about annual acknowledgment under 12.6.2?

• A. That they have read and understood the security policy.
• B. That they have completed annual security training.
• C. That they understand the security policy's goals.
• D. That they have read and understood the security policy and procedures.

Answer: (D)

Under PCI DSS, the annual acknowledgment requirement is to confirm that personnel have read and understood both the security policy and the procedures that implement that policy. This ensures staff not only know the rules but also understand the specific steps they must follow in practice, which is essential for consistent secure behavior. Acknowledging only the policy would miss the procedural guidance that tells people how to act. Acknowledging training alone is a separate activity tied to ongoing awareness, not the specific annual acknowledgment. Understanding the policy's goals is too narrow and doesn’t guarantee familiarity with the actual procedures. Therefore, the statement about reading and understanding both the security policy and the procedures best matches the requirement.