PCI DSS 4.0 Security Awareness Training Requirements

Lisa Brennan··7 min read
Employee processing a card payment at a point-of-sale terminal in a retail environment

If your organisation stores, processes, or transmits payment card data, the rules you are measured against changed meaningfully with PCI DSS version 4.0. The standard did not just renumber a few controls; it sharpened expectations around the human layer. Security awareness training is no longer satisfied by a generic annual reminder to pick strong passwords. Under v4.0, your program has to name the threats your people actually face, including phishing and social engineering, and prove it keeps pace with them.

For anyone preparing for an assessment, the practical question is simple: what does the standard now require, and how do you build a program that an assessor will accept? Here is the breakdown.

v4.0 Is Now the Only Game in Town

PCI DSS v3.2.1 has been retired, and v4.0, refined by the limited revision v4.0.1, is the active version every assessment is conducted against. Many of the new and strengthened requirements were future-dated as best practice and became fully effective on 31 March 2025. In other words, the grace period that let organisations ease into the harder controls has ended; the strengthened awareness expectations are mandatory now.

That timing matters because some teams built their v4.0 programs around the older, looser interpretation and never circled back once the future-dated items went live. If your awareness content has not been revisited since the transition, it is worth treating that as a gap to close rather than assuming last year's program still passes.

The authoritative documents, including the full standard and supporting guidance, are published by the PCI Security Standards Council at pcisecuritystandards.org.

What Requirement 12.6 Actually Demands

Security awareness lives in Requirement 12.6, which calls for a formal security awareness program that keeps personnel informed of the organisation's information security policy and procedures and of their own role in protecting cardholder data. Two expectations sit at the core of it:

  • Personnel receive security awareness training upon hire and at least once every 12 months.
  • The awareness program itself is reviewed at least once every 12 months and updated as needed to address new threats and vulnerabilities.

The biggest shift from earlier versions is what the training must explicitly cover. Under v4.0, the program is expected to raise awareness of threats and vulnerabilities that could affect the security of account data, and it specifically calls out phishing and related attacks as well as social engineering. It also expects coverage of the acceptable use of end-user technologies. In short, generic security hygiene is no longer enough, the human-targeted attacks that cause real card-data breaches now have to be addressed head-on.

The strengthened wording recognises a simple reality: the fastest route to a payment-card breach is rarely a broken firewall. It is an employee who clicks a convincing lure or hands over credentials to a confident caller.

Why Phishing and Social Engineering Got Named

The PCI Security Standards Council did not single out phishing and social engineering arbitrarily. Attackers chasing cardholder data overwhelmingly start with people, through fraudulent emails, fake payment-update requests, vishing calls impersonating banks or vendors, and lures that harvest credentials to the cardholder data environment. By naming these vectors, v4.0 makes it clear that an awareness program which never mentions them is incomplete.

This is where assessment expectations and good security finally pull in the same direction. To genuinely satisfy the intent of 12.6, your people need to be able to identify, react to, and report phishing and social-engineering attempts. That is a behavioural outcome, and behaviour is hard to build, or evidence, with content alone.

Running phishing simulation campaigns is the most direct way to develop and demonstrate that capability. Realistic simulated lures show how staff actually respond under conditions resembling a genuine attack, surface who needs targeted reinforcement, and, over successive campaigns, produce a measurable trend you can show an assessor. empowsec pairs simulations with focused security awareness training so that a click becomes a teachable moment rather than just a statistic, which is exactly the loop the standard's intent rewards.

Building a Program Your Assessor Will Accept

A defensible PCI DSS 4.0 awareness program does a handful of things consistently. Use this as a working checklist:

  1. Train at hire and at least annually, and keep dated records tying completion to individuals.
  2. Cover the named threats explicitly, ensuring phishing, social engineering, and acceptable use of end-user technologies all appear in your content.
  3. Review and refresh the program annually, and whenever the threat picture shifts materially, then document that the review happened.
  4. Tailor where it counts, giving staff who handle account data the depth their role demands.
  5. Measure effectiveness, using phishing simulation results and reporting rates as evidence the training changes behaviour, not just awareness.
  6. Keep clean, exportable evidence, because at assessment time the quality of your records often matters as much as the program itself.

That final point is where many organisations lose time. Scattered spreadsheets and screenshots make an assessment painful and leave gaps an assessor will probe. Centralising completion data, campaign results, and review history, the kind of documentation and evidence for audits empowsec keeps in one place, turns the awareness portion of your assessment from a reconstruction exercise into an export.

Awareness Is a Year-Round Activity, Not an Annual One

It is tempting to read the at-least-every-12-months language in Requirement 12.6 as permission to do the bare minimum: one push of training a year, one review, done. That reading technically satisfies the frequency floor, but it misreads the standard's intent and leaves real risk on the table. The threats the standard names do not arrive on an annual schedule, and neither should your reinforcement.

Consider how the gap plays out in practice. An organisation trains everyone each January, then a convincing payment-redirection campaign lands in September. Eight months on from the last touchpoint, staff are running on memory, and the people most likely to fall for it are exactly the ones who needed reinforcement. Meeting the annual minimum did nothing to prepare them for the moment that mattered.

A stronger interpretation treats the annual milestones as anchors within a continuous program:

  • Onboarding at the start, so new hires who handle account data are prepared before they touch it, not at the next annual cycle.
  • Periodic phishing simulation spread through the year, keeping recognition skills sharp and surfacing who needs help while there is time to provide it.
  • Just-in-time reinforcement when a new threat pattern emerges, rather than waiting for the next scheduled session.
  • The formal annual review as the point where you step back, assess the program against the current threat picture, and document the update, satisfying the letter of 12.6 while the continuous activity satisfies its spirit.

This cadence also strengthens your assessment position. An assessor who sees a steady stream of dated campaigns, follow-up training, and a documented annual review is looking at a living program, which is far more convincing than a single once-a-year completion report. empowsec is built for that rhythm, letting you schedule recurring simulations, automate targeted follow-up, and keep the continuous activity log that demonstrates the program is genuinely ongoing.

Key Takeaways

PCI DSS 4.0 has made the human layer a named, examined part of compliance. To stay aligned:

  • Operate to v4.0 / v4.0.1, and treat the strengthened, formerly future-dated awareness expectations as fully effective since 31 March 2025
  • Meet Requirement 12.6 with training at hire and at least every 12 months, and an annual program review
  • Cover phishing, social engineering, and acceptable use explicitly, because generic security content no longer satisfies the intent
  • Use phishing simulation to build and evidence the ability to identify, react to, and report attacks
  • Retain dated, exportable records so the awareness section of your assessment is straightforward to prove

Handled properly, the awareness requirement is not just a hurdle to clear, it closes the most heavily exploited gap between attackers and the card data you are obligated to protect.

Share: