Updated:
July 2, 2026
PCI DSS Requirement 12.6 Evidence Gaps Grow
PCI SSC’s statement that awareness training may help satisfy PCI DSS Requirement 12.6 has put employee education back into focus for merchants and service providers preparing PCI DSS v4.0.1 assessments. The issue is no longer whether staff receive a generic annual module. Assessors now look for a formal, updated, documented security awareness program tied to cardholder data, phishing, social engineering and end-user technology use.
What Does PCI SSC Say About Awareness Training And PCI DSS Requirement 12.6?
PCI SSC says its PCI Awareness training is intended for people working at organizations that must comply with PCI DSS and that course completion may help satisfy Requirement 12.6 for general security awareness education. The wording matters because training can support compliance, but it does not replace a full awareness program.
PCI SSC’s public training page says the course helps participants understand PCI compliance before an assessment, apply PCI DSS security principles and earn continuing education credits. A PCI SSC course-description PDF uses stronger wording, saying completion satisfies Requirement 12.6 for general security awareness.
The safer interpretation is practical. A course can cover the general awareness education piece, but a QSA can still ask for the entity’s own program scope, personnel roster, training records, review history, updated content, policy acknowledgment and role-specific evidence.

When Did PCI DSS Requirement 12.6 Become A v4.0.1 Audit Issue?
PCI DSS Requirement 12.6 dates back years, but it became a sharper audit issue after PCI DSS v4.0 was published on March 31, 2022, PCI DSS v4.0.1 was published on June 11, 2024, and future-dated requirements became mandatory on March 31, 2025.
PCI SSC’s October 2014 awareness supplement said a formal security awareness program must be in place for organizations required to meet Requirement 12.6. That guidance framed awareness as more than a once-a-year task and encouraged role-based education, metrics and communication.
PCI DSS v4.0.1 kept the v4.0 transition date. PCI SSC said v4.0.1 was a limited revision with no new or deleted requirements, and it did not change the March 31, 2025 effective date for new requirements.
What Does PCI DSS v4.0.1 Requirement 12.6 Require For Security Awareness?
PCI DSS v4.0.1 Requirement 12.6 requires security awareness education to be an ongoing activity. The standard requires a formal program for all personnel, review at least once every 12 months, training upon hire and at least once every 12 months, multiple communication methods and yearly policy acknowledgment.
Requirement 12.6.1 requires a formal awareness program that makes all personnel aware of information security policies, procedures and their role in protecting cardholder data. Requirement 12.6.2 requires the program to be reviewed at least once every 12 months and updated for new threats or vulnerabilities.
Requirement 12.6.3 requires training upon hire and at least once every 12 months. It requires multiple methods of communication and a personnel acknowledgment at least once every 12 months that security policies and procedures have been read and understood.
Requirement 12.6.3.1 requires awareness of phishing, related attacks and social engineering. Requirement 12.6.3.2 requires awareness of acceptable use of end-user technologies under Requirement 12.2.1. Both were best practices until March 31, 2025, then became required for PCI DSS assessments.
Which Merchants And Service Providers Must Train Personnel Under PCI DSS Requirement 12.6?
PCI DSS Requirement 12.6 affects entities that store, process or transmit cardholder data or could affect the security of the cardholder data environment. That includes merchants, processors, acquirers, issuers, service providers and payment-support vendors when their people, systems or services fall into PCI scope.
The requirement is broad because PCI DSS applies beyond technical teams. Cashiers, finance employees, help desk staff, administrators, developers, managers, contractors and service-provider personnel can all affect payment security.
Training scope should follow access and business impact, not job title alone. Personnel who can view cardholder data, change payment systems, access the CDE, support payment applications, handle physical payment records or manage vendors should appear in the awareness-training population.
What Penalties Or Business Consequences Follow PCI DSS Requirement 12.6 Failures?
PCI DSS Requirement 12.6 failures can produce assessment findings, customer evidence requests, remediation costs and non-compliance consequences through acquirers or payment brands. PCI SSC does not impose fines directly on merchants, but payment brands and acquiring banks manage compliance validation and may impose business consequences.
Visa says merchants and service providers must maintain PCI DSS compliance at all times, and Visa may assess a non-compliance assessment to an issuer or acquirer when a merchant or service provider fails to comply or fails to fix a security issue.
The business consequences can include failed Reports on Compliance, delayed Attestations of Compliance, customer contract pressure, forensic investigation after a breach, higher scrutiny from acquirers and possible processing consequences. Requirement 12.6 is usually not the largest technical control, but missing evidence can still create a reportable gap.
What Evidence Do QSAs Review For PCI DSS Requirement 12.6 Awareness Training?
QSAs review evidence showing that security awareness training is formal, current, assigned, completed, acknowledged and mapped to PCI DSS obligations. Evidence usually includes training materials, completion logs, onboarding records, annual refresher records, policy acknowledgments, program reviews, update history and personnel interviews.
The v4.0.1 testing procedures say assessors examine the security awareness program for Requirement 12.6.1, content and evidence of reviews for Requirement 12.6.2, training records for Requirement 12.6.3, and materials covering phishing, social engineering and acceptable use for Requirements 12.6.3.1 and 12.6.3.2.
Personnel interviews matter because assessors can test whether employees know their role in protecting cardholder data. A completion report alone may be weak when the curriculum does not match policy, personnel lists miss contractors or employees cannot explain how to report suspected phishing.
How Should Organizations Use PCI SSC Awareness Training For Requirement 12.6?
Organizations should use PCI SSC Awareness training as one component of a documented Requirement 12.6 program, not as the entire program. The training can support general PCI education, while the organization still needs entity-specific policies, role-based content, records, review evidence and acknowledgment records.
1. Define the training population using PCI scope, CDE access, job role and third-party support responsibilities.
2. Map training materials to Requirements 12.6.1, 12.6.2, 12.6.3, 12.6.3.1 and 12.6.3.2.
3. Add company-specific policy content for cardholder data handling, acceptable use, incident reporting and phishing response.
4. Record completion upon hire and at least once every 12 months.
5. Capture personnel acknowledgment of information security policies and procedures every 12 months.
6. Review the program at least once every 12 months and update content for new payment-security threats.
7. Keep evidence ready for QSA review, including rosters, content, dates, acknowledgment files and exception handling.
How Did The Payments Industry Respond To PCI DSS v4.0.1 Awareness Training?
The payments industry responded to PCI DSS v4.0.1 awareness training with training products, QSA guidance and renewed focus on evidence quality. Most public response came from PCI assessors, compliance vendors, banks and training providers rather than major general-news outlets.
No Reuters, AP, Bloomberg, Financial Times, Wall Street Journal or BBC article focused specifically on PCI SSC awareness training and Requirement 12.6 was found in current searches for this report. Coverage is mostly operational because the development affects assessment preparation rather than public enforcement.
Security vendors and QSAs have focused on the practical gaps. Common issues include generic annual videos, incomplete personnel rosters, weak contractor coverage, missing policy acknowledgments, training content that omits phishing and social engineering, and no proof that program content was reviewed after threat changes.
What Payment Brand Actions Are Tied To PCI DSS Requirement 12.6?
Payment brand actions tied to Requirement 12.6 are indirect because PCI SSC writes the standard, while payment brands and acquirers manage compliance validation. The practical action is that merchants and service providers must show PCI DSS compliance through the validation path required by their acquirer or payment brand.
PCI SSC says reporting requirements and validation instructions are determined by the organizations that manage compliance programs, including payment brands and acquirers. That means the evidence burden can vary based on merchant level, service-provider role, acquirer requirements and customer contracts.
Visa’s compliance information states that issuers and acquirers are responsible for PCI DSS compliance of their service providers and merchants. That structure pushes Requirement 12.6 evidence into merchant services reviews, service-provider assurance packages and customer due diligence.
What Questions Remain About PCI DSS Requirement 12.6 Training?
The main unresolved question is how strictly assessors will treat PCI SSC Awareness training when an organization lacks strong internal records. PCI SSC’s course page says completion may help satisfy Requirement 12.6, but assessment procedures still require proof that the entity’s own awareness program is implemented and current.
A second open question is training quality. PCI DSS requires topics and evidence, but it does not prescribe one training format. Web-based courses, in-person sessions, team meetings, posters and incentives can all support awareness when they match the entity’s PCI risks.
A third question is how organizations will handle new threats after annual training. Requirement 12.6.2 requires updates as needed, which means a major phishing campaign, payment-page threat, new remote access tool or policy change may require communication before the next annual course.
How Bright Defense Helps Organizations Meet PCI DSS Requirement 12.6
Bright Defense helps merchants and service providers meet PCI DSS Requirement 12.6 through Penetration Testing, Continuous Compliance and Security Assessments that connect awareness training to real payment-security risk. The work supports evidence that personnel understand cardholder data responsibilities, phishing risk, acceptable use and incident reporting.
For PCI DSS programs, Bright Defense can review CDE scope, training populations, security policies, phishing reporting workflows, access paths, vendor exposure, logging and incident-response readiness. That evidence helps organizations show that awareness education is not isolated from technical controls and that Requirement 12.6 supports broader protection of payment account data.
Sources Cited In This PCI DSS Requirement 12.6 Report
PCI Security Standards Council — PCI Awareness Training (2026) https://www.pcisecuritystandards.org/program_training_and_qualification/requirements_awareness/
PCI Security Standards Council — Awareness Training Course Description (2026) https://www.pcisecuritystandards.org/pdfs/course_description_for_awareness_v4.pdf
PCI Security Standards Council — PCI Data Security Standard PCI DSS (2026) https://www.pcisecuritystandards.org/standards/pci-dss/
PCI Security Standards Council — PCI DSS v4.x Resource Hub (2026) https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub
PCI Security Standards Council — Just Published: PCI DSS v4.0.1 (June 11, 2024) https://blog.pcisecuritystandards.org/just-published-pci-dss-v4-0-1
PCI Security Standards Council — Now Is The Time For Organizations To Adopt The Future-Dated Requirements Of PCI DSS v4.x (2024) https://blog.pcisecuritystandards.org/now-is-the-time-for-organizations-to-adopt-the-future-dated-requirements-of-pci-dss-v4-x
PCI Security Standards Council — Best Practices For Implementing A Security Awareness Program (October 2014) https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf
PCI Security Standards Council — PCI DSS v4.0.1 Requirements And Testing Procedures (June 2024) https://www.middlebury.edu/sites/default/files/2025-01/PCI-DSS-v4_0_1.pdf
Visa — Payment Card Industry Compliance, PCI DSS Compliance (2026) https://www.visaeurope.lu/partner-with-us/pci-dss-compliance-information.html
Visa — Account Information Security Program And PCI (2026) https://corporate.visa.com/en/resources/security-compliance.html
PCI Security Standards Council — Merchant Resources (2026) https://www.pcisecuritystandards.org/merchants/
SecureTrust — PCI DSS v4.0.1 Requirements: Key Updates And What They Mean For Small Businesses (April 10, 2026) https://www.securetrust.com/blog/pci-4-0-requirements
BDO — PCI DSS v4.0 New Requirements (2024) https://www.bdo.com/getmedia/7a423c2a-ec5d-45c1-b2d0-8a5030d0fa80/ASSR-ASP-PCI-4-0-New-Requirements.pdf
Get In Touch


