The Payment Card Industry Data Security Standard (PCI DSS) is perhaps the most concrete, most enforced security compliance requirement for any organization that handles credit card data. Unlike many security frameworks that provide guidance and recommendations, PCI DSS is a binding requirement imposed by card brands (Visa, Mastercard, American Express, Discover) on acquiring banks, which cascade the requirements to payment processors, merchants, and service providers. Non-compliance isn't just a best practice gap—it can result in fines, merchant account termination, and liability for data breach costs.
The latest iteration of PCI DSS, version 4.0 (released in March 2022 and becoming mandatory in 2025), significantly strengthened the security awareness training requirement. Previously, security awareness training was addressed somewhat vaguely. Version 4.0 makes it explicit, measurable, and auditable. Requirement 12.6 now specifically addresses security awareness training and requires that organizations provide targeted training to personnel based on their role.
For organizations subject to PCI DSS, understanding and properly implementing the training requirements has moved from a nice-to-have to an audit item that will be actively examined by Qualified Security Assessors (QSAs) during compliance assessments.
What PCI DSS v4.0 Requires for Security Awareness Training
Requirement 12.6 in PCI DSS v4.0 breaks down security awareness training into specific, testable components. The requirement states that personnel must be made aware of their role in protecting cardholder data and the organization's security posture, and that the organization must provide role-based, targeted security awareness training.
The key word here is "targeted." PCI DSS v4.0 moved away from one-size-fits-all training. Instead, organizations must provide training that's specifically tailored to the roles and responsibilities of different personnel. A warehouse worker who never touches cardholder data gets different training than a payment processing specialist who directly handles card data. A call center representative who might interact with customers gets different training than a database administrator with access to systems storing cardholder data.
The training must address specific topics. PCI DSS specifies that awareness training must cover: protection of cardholder data, information security policies and procedures, authentication and password management, phishing and social engineering, malware and virus protection, clean desk and screen saver policies, and incident response procedures.
Notably, phishing is explicitly called out in PCI DSS v4.0 as a required training topic. This is a significant change from previous versions where phishing might have been mentioned but wasn't a standalone requirement. For payment organizations, demonstrating that employees understand phishing and can recognize phishing attempts is now an explicit compliance requirement.
The training is required to be delivered to all personnel who have access to cardholder data, as well as to personnel in the organization who have a role in supporting the systems that handle cardholder data.
Phishing Specifically Addressed in PCI DSS v4.0
The inclusion of phishing in the v4.0 requirements reflects the reality that phishing is one of the primary vectors through which cardholder data gets compromised. A phishing attack that results in credential compromise can lead to unauthorized access to payment systems and potential data theft.
The requirement states that personnel must receive phishing awareness training. However, the standard is somewhat vague about what "phishing awareness training" means. Does it mean a one-hour training module about what phishing is? Does it require testing employees to see if they can recognize phishing? Does it require simulation-based training?
This vagueness has led to variation in how organizations interpret and implement the requirement. Some organizations deliver a one-time, generic training module about phishing and consider the requirement met. Others implement comprehensive phishing simulation programs with ongoing testing and targeted remediation. Both approaches would technically meet the letter of the requirement, but only the more comprehensive approach would likely survive scrutiny if phishing were involved in an actual data breach.
However, QSAs conducting compliance assessments have increasingly been asking organizations to provide evidence of phishing awareness training. This evidence typically includes documentation that training was delivered, evidence that personnel understood the training, and increasingly, evidence that the training actually changed behavior.
What "Targeted" Training Means Under PCI DSS
The requirement that training be "targeted" to role has several implications that organizations often misunderstand.
First, it means that different roles get different training content. An organization doesn't satisfy PCI DSS by delivering the same training module to all 500 employees. Instead, the organization needs to segment employees by role and provide training that's relevant to each role.
Determining appropriate role segmentation requires understanding the organization's structure and the different ways that personnel interact with cardholder data or the systems that store it. Common role categories might include: payment processors, merchant customer service representatives, system administrators with cardholder data access, database administrators, management staff with oversight of cardholder data systems, and other personnel. Each of these roles faces different threats and has different security responsibilities.
Second, "targeted" means that training needs to be specific to the organization's environment and procedures. Generic, off-the-shelf training modules might cover the required topics, but targeted training goes further—it references the organization's specific policies, the organization's specific systems, the organization's specific processes for handling data. Training that says "protect cardholder data" is less targeted than training that says "cardholder data in our environment includes credit card numbers stored in the database in System X, and you must follow these procedures when handling this data."
Third, targeted training implies ongoing reinforcement. A one-time training module, no matter how good, provides limited behavioral impact. Targeted training includes periodic updates, reminders, scenario-based learning, and testing to reinforce the training and ensure that employees remember it and apply it.
Evidence Requirements for QSA Audits
When a QSA conducts a compliance assessment, one of the areas they examine is security awareness training. The QSA will ask for evidence that the training requirement has been met. What kind of evidence?
The QSA will look for documentation of the training program: policies documenting what training is required, training materials showing what content is delivered, records showing which personnel completed the training, dates and times of training delivery. For organizations claiming to have met the requirement, this documentation is fundamental. An organization without documented evidence that training occurred faces an automatic compliance finding.
The QSA will also look for evidence that the training was actually understood by personnel. This might be in the form of training assessments or quizzes. Did employees who took the training demonstrate comprehension? An organization that delivers training but doesn't assess whether employees understood the material will face questions about the effectiveness of the training.
For phishing-specific training, QSAs are increasingly asking for evidence beyond just "we delivered a training module." They're asking: Did you test employees on phishing recognition? Can you provide evidence that employees can recognize phishing? Do you have metrics showing how your organization's phishing susceptibility has changed over time?
This is where phishing simulation becomes valuable evidence for PCI DSS compliance. A phishing simulation program with documented results—how many employees fell for a simulated phishing email, what percentage improved over time, what training was provided to those who fell—is concrete evidence that the organization has delivered phishing awareness training and has measured the effectiveness of that training.
How Phishing Simulation Satisfies PCI DSS Evidence Requirements
Phishing simulation programs create multiple forms of evidence that directly address PCI DSS requirements.
First, a simulation program creates evidence that phishing-specific training has been delivered. Even if the simulation itself is the training (rather than training followed by testing), the simulation demonstrates that employees have been exposed to phishing scenarios and have been tested on their ability to recognize them.
Second, a simulation program creates evidence of measurement. A critical aspect of compliance is demonstrating that the organization is actively measuring and monitoring the effectiveness of its security awareness program. A phishing simulation program with documented metrics—baseline susceptibility, improvement over time, segment-specific metrics for different roles—directly satisfies this requirement.
Third, a simulation program creates evidence of role-targeted training. Different roles within an organization face different phishing threats. A simulation program that tailors simulations to specific roles (e.g., a payment processor receives phishing scenarios that specifically target payment processing functions) demonstrates targeted training.
Fourth, a simulation program creates evidence of ongoing reinforcement. A one-time training module isn't considered ongoing. A simulation program that conducts phishing tests on a regular cadence (monthly, quarterly, or annually) demonstrates that the organization is providing ongoing awareness training and continuously testing employee knowledge.
Finally, a simulation program creates evidence of incident response and remediation. When employees fall for simulated phishing, they should receive feedback and targeted training. A simulation program that documents which employees received additional training and what their performance was after that training demonstrates that the organization is remediating weaknesses identified through testing.
Annual Versus Continuous Training Approaches
PCI DSS v4.0 requires that security awareness training be provided, but it doesn't explicitly mandate the frequency. However, the standard requires that training be "maintained" and "updated," which implies ongoing activity rather than a one-time event.
Some organizations interpret this as annual training—all personnel complete required training once per year. This approach is simple to implement and audit but provides limited behavioral impact. Research on training retention shows that employees forget most of what they learned within weeks of a one-time training event.
Other organizations implement continuous or regular training, with periodic simulations, scenario-based learning, and updates. This approach requires more resources but provides better behavioral outcomes and more easily satisfies the "maintained and updated" language of the requirement.
For payment organizations, QSAs are increasingly expecting more than annual training, especially given that phishing threats evolve throughout the year. An organization conducting quarterly phishing simulations will have stronger evidence of maintained, ongoing awareness than an organization conducting annual training.
Building a PCI DSS-Compliant Training Program
Organizations building a security awareness program to comply with PCI DSS v4.0 should take an integrated approach that combines mandated content, role-based targeting, phishing simulation, and documented measurement.
Start by mapping roles within the organization and identifying which roles need what training. This creates the foundation for targeted training. Then select or develop training content that covers the required topics, tailored to the roles identified. For phishing training, consider implementing a phishing simulation program that tests employees regularly and provides feedback.
Establish a schedule for delivering and updating training. Annual training at minimum, but quarterly or more frequent for high-risk roles like payment processors. Document everything—when training was delivered, who attended, what was covered, what assessments were conducted, and what the results were.
For phishing specifically, use simulations to create evidence of training delivery and measurement. Simulations should be tailored to the organization's specific environment and should test employees' ability to recognize phishing attempts relevant to their role.
Create a process for handling employees who fall for simulations or fail phishing assessments. Provide targeted training or coaching to improve their awareness. Document these remediation efforts.
Finally, track metrics over time. What percentage of employees are susceptible to phishing in your baseline? How has that changed after training? What segments of your organization have higher or lower susceptibility? This data becomes powerful evidence that your training program is effective and is being maintained.
The QSA Perspective on Training Evidence
From a QSA's perspective, the organization that walks into an audit with documented training policies, evidence that training was delivered, assessments showing that employees understood the training, simulation results showing phishing awareness, and trending data showing improvement over time will pass the training requirement with minimal questions. An organization that has only a checklist of employees who completed annual training will face more scrutiny and may receive a finding if the training content isn't clearly documented or if there's no evidence of effectiveness.
Related Reading
- What is Security Awareness Compliance?
- How to Run a Phishing Simulation
- PCI Security Standards Council (Official)
PhishSkill's phishing simulation platform creates the kind of evidence that QSAs expect to see when they audit PCI DSS v4.0 compliance. Our platform provides documented simulations, detailed reporting, role-based targeting, and trend metrics that demonstrate both that training has been delivered and that it's been effective. If you're responsible for security awareness in a payment organization, you need evidence that will satisfy compliance audits. Let's talk about how to build a training program that meets PCI DSS requirements while actually reducing phishing susceptibility in your organization.
More from the Blog
View all
MFA Is Not Enough: How Phishing Attacks Bypass Multi-Factor Authentication and What Training Can Do
Multi-factor authentication has become a foundational security control, but attackers have evolved techniques to bypass it. Learn how adversary-in-the-middle phishing, MFA fatigue attacks, and vishing for OTP codes defeat MFA—and why training is your only defense.
Insider Threat Awareness Training: Building a Program That Protects Without Eroding Trust
Most insider incidents are accidental, not malicious. Learn the difference between insider threat monitoring and insider threat training, how to build a program that addresses negligent insiders without creating a culture of suspicion, and what truly effective insider threat awareness looks like.
Gamification in Security Awareness Training: Does It Actually Work?
Points, leaderboards, and badges are ubiquitous in security awareness training. But do they actually change behavior, or do they just drive engagement metrics? Explore the evidence behind gamification, when it helps, when it distracts, and how to combine it with simulation-based learning.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.