What is PCI DSS Security Awareness Training

Requirement 12.6 of PCI DSS v4.0.1 says the entity must implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. It is the anchor requirement for security awareness inside PCI DSS and applies to every merchant or service provider in scope of the standard.

Three sub-requirements sit beneath it. 12.6.1 requires the program to be formal and implemented in writing. 12.6.2 requires annual review and update for new threats and vulnerabilities. 12.6.3 requires personnel to acknowledge the policy at least annually and to receive targeted training on phishing and social engineering, acceptable use, password choice, and mobile or teleworking technologies.

Yes. Sub-requirement 12.6.3 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures, and to receive targeted training on the topics named in the standard. Annual is the floor, not the ceiling. Sub-requirement 12.6.2 separately requires the program itself to be reviewed and updated annually for new threats and vulnerabilities.

The strongest programs run monthly micro-training on the 12.6.3 topics with annual policy acknowledgment, because attacker tradecraft shifts inside a 12-month window faster than a single annual session can keep up with. Cadence above the annual floor also generates the dated release log a QSA samples to confirm 12.6.2 review actually happened.

The standard uses the word personnel, which covers full-time employees, part-time employees, contractors, and any third party with access to the cardholder data environment. The 2013 Target breach and the 2014 Home Depot breach both started with credentials stolen from third-party vendors with CDE-connected access; both PCI assessment fallouts cited the awareness obligations for that third-party workforce.

Scope reduction (segmentation, tokenization, P2PE, hosted payment pages) shrinks the technical footprint but does not remove the training requirement for whoever still touches PAN. The first question a QSA asks during 12.6 sampling is who, exactly, sits in scope; the awareness program has to name them and show training records for each.

QSAs sample four artifacts during 12.6 review. The documented program (12.6.1), with named owner, scope, role-based training matrix, and refresh cadence. The dated review log (12.6.2), proving the program was reviewed and updated at least annually for new threats. The acknowledgment register (12.6.3), tying personnel to the version of the policy they signed and the date. The training completion register (12.6.3), tying personnel to the targeted topics they received.

The personnel roster is then sampled against each register. Missing or backdated entries are the fastest way to fail 12.6.3. Modern programs collect electronic timestamped acknowledgments, log per-learner per-exercise completion with the policy version, and retain the records for the assessment window the entity is operating under.

PCI DSS v4.0 was published in March 2022 and v4.0.1 followed in June 2024, current as of today. The v3.2.1 wording for Requirement 12.6 was thin: implement a program, educate annually, require acknowledgment annually. The v4.0 rewrite materially expanded the language. 12.6.2 added the explicit annual review and update requirement. 12.6.3 added the explicit list of targeted topics: phishing and other social engineering, acceptable use, password choice and protection, and the protection of mobile devices and use of teleworking technologies.

The transition from v3.2.1 became mandatory on 31 March 2024, and a second tranche of new v4.0 requirements (originally listed as best practice) became enforceable on 31 March 2025. Programs that have not refreshed against the expanded 12.6 language since the v3.2.1 era will not pass a v4.0.1 sample.

Sub-requirement 12.6.3 explicitly names four topics personnel must receive targeted training on. Phishing and other social engineering. Acceptable use of end-user technologies. Password choice and protection. The protection of mobile devices and the use of teleworking technologies. Each topic is sampled separately by the QSA; a single generic video that mentions none of them by name will not satisfy 12.6.3.

The strongest programs ship a separate exercise per topic, log completion per learner per exercise, and keep a topic-to-sub-requirement mapping document so the QSA can trace each completion record back to the standard. The v4.0 rewrite added the explicit phishing call-out and the mobile or teleworking call-out, both responses to threat patterns that the older v3.2.1 wording missed.

SOC 2 and ISO 27001 both require security awareness training (CC1.4 in SOC 2, A.7.2.2 in ISO 27001), but the wording is principle-based and gives the entity wide latitude on topics, cadence, and evidence format. PCI DSS Requirement 12.6 is prescriptive: it names the topics, names the cadence (annual minimum), names the audience (personnel with CDE access including third parties), and the QSA samples to a published expectation rather than to the entity's own definition.

In practice, programs running PCI DSS comfortably are also running SOC 2 and ISO 27001 comfortably; the inverse is not always true. A SOC 2 program scoped to a single annual all-hands video can pass the SOC 2 audit and still fail the PCI 12.6.3 topic sample. The two-way map matters when the same workforce is in scope for both standards.

Yes. Requirement 6.2 covers secure software development, and any developer writing code that processes, stores, or transmits cardholder data is in scope of both 6.2 and 12.6. The 2008 Heartland Payment Systems breach (130M cards, $140M plus losses) started with a SQL injection vulnerability in a public-facing web application; the subsequent PCI assessment cited application security training and secure coding practices in the developer workforce among the deficiencies.

Hosted payment pages, redirect flows, and iframe integrations reduce the application surface but do not remove the awareness requirement for the engineering teams that still write the surrounding code. The strongest programs include a developer-scoped track inside the 12.6.3 program covering secure coding, OWASP categories, and (since v4.0.1) the AI coding assistant and prompt-injection patterns the older standard wording did not anticipate.