PCI DSS spends eleven requirements on technology and one on the humans operating it. Requirement 12 — security awareness and role-based training — is where most breaches actually start. This is what the standard asks for, who needs it, and the ISA / QSA path for the people who assess it.
The requirement that addresses the one attack surface technology cannot patch — the staff.
PCI DSS (the Payment Card Industry Data Security Standard, currently v4.0.1) mandates a security awareness programme for everyone who touches cardholder data or the systems around it. Requirement 12.6 is the anchor: an ongoing programme that makes personnel aware of the cardholder-data security policy and their own role in protecting it.
The logic is blunt: you can spend a fortune on segmentation and encryption and still lose card data to a phished employee or a careless clerk. Awareness training is the control that addresses the attack surface no firewall covers — people.
It is not a poster on a wall. v4.0 added the expectation that the awareness programme is reviewed at least annually and updated to address new threats — phishing, social engineering, and the threats relevant to your environment.
Train on hire, train yearly, train to the role, and keep the programme itself current.
Personnel receive awareness training when hired and at least once every 12 months. The clock runs from the date of hire, per person — not one company-wide date.
Training scales to the job. All personnel get the baseline; specialised roles — clerks handling card data, developers, network engineers — get deeper, function-specific content.
v4.0.1 expects coverage of current threats — phishing and social engineering explicitly — not a static deck from three years ago.
The programme itself is reviewed at least yearly and updated for new threats and vulnerabilities. Evidence the review, not just the training.
Match the depth to the risk the role carries — a developer’s training is not a clerk’s.
| Audience | What they need | Why |
|---|---|---|
| All personnel | Recognise threats, treat security as habit, know how to report a concern | The baseline human firewall — everyone is a potential entry point |
| Card-data handlers | Secure procedures for handling sensitive data, recognising misuse | Clerks, support, ops staff in the cardholder-data flow |
| Developers | Secure coding for PCI-relevant applications | v4.0 leans harder on secure software practices |
| Network / infra | Secure configuration, privileged-access discipline | A misconfigured boundary undoes the rest of the standard |
| Management | Understand and enforce the policy; reinforce the message | Governance has to own the programme, not just fund it |
Two professional credentials sit on the assessor side, both run by the PCI Security Standards Council. The ISA (Internal Security Assessor) is an employee of an organisation, trained and certified by the Council to assess their own company against PCI DSS — useful for large merchants and processors running internal compliance. The QSA (Qualified Security Assessor) works for a Council-approved company and assesses other organisations, signing off the formal Report on Compliance.
For a PSP or bank, the practical split is: build ISA capability internally to keep continuous compliance honest year-round, and engage an external QSA firm for the formal validation. The ISA keeps you ready; the QSA puts the name on the assessment. Both certifications are maintained — they are not lifetime badges.
The temptation is a once-a-year e-learning click-through that satisfies the auditor and changes no behaviour. That passes a checkbox and fails the actual purpose. A programme that works is role-based, refreshed for current threats, and measured — phishing simulations, completion tracking, evidence the review happened.
For an SA acquirer or PSP: scope who is genuinely in the cardholder-data environment, train them to their role, and keep per-person evidence (a QSA will ask for it by name and date). Decide deliberately between internal ISA capability and an external QSA engagement — most serious operators need both.
The cost of getting it wrong is not just a failed assessment. A breach with cardholder data exposed brings scheme fines, forensic costs and reputational damage — and “our staff weren’t trained” is the worst sentence to say afterwards.
Annual training runs from each hire date. A single org-wide annual campaign can leave new joiners non-compliant for months.
A deck nobody reads satisfies no real control. Measure behaviour change, or expect the assessor to probe it.
v4.0.1 wants the programme reviewed and updated annually. Last year’s threats are not this year’s — document the refresh.