PCI-DSS
Payment-card data security standard maintained by the PCI Security Standards Council — Requirement 12.6 explicitly mandates a formal security awareness program.
PCI-DSS — the Payment Card Industry Data Security Standard — is maintained by the PCI Security Standards Council (PCI SSC), a body founded by American Express, Discover, JCB, Mastercard, and Visa. It applies to any organization that stores, processes, or transmits cardholder data, regardless of size or geography. It is a contractual standard imposed by the card brands, not a law — but for any merchant or service provider that touches a PAN (primary account number), it is non-optional.
The current version is PCI-DSS v4.0.1 (mandatory since 31 March 2025; v3.2.1 was retired alongside it). The standard is organized into 12 requirements grouped under 6 control objectives. For human-risk discussion, the relevant section is:
- Requirement 12.6 — Security Awareness Education. Personnel must be made aware of the cardholder-data environment’s security policy and procedures.
- 12.6.1 — formal program established and active.
- 12.6.2 — review and update of the program at least annually and when the threat landscape changes.
- 12.6.3 — personnel acknowledge they have understood the program at least annually.
- 12.6.3.1 and 12.6.3.2 (new in v4.0) — the program must specifically address phishing and related attacks and acceptable use of end-user technologies.
Other defining properties:
- Assessor-led. Compliance is validated by a QSA (Qualified Security Assessor) for larger merchants and service providers, or by self-assessment (SAQ) for smaller ones.
- Cross-cutting with other frameworks. Cardholder-data environments inside a SOC 2- or ISO 27001-scoped service usually inherit common evidence.
- The v4.0 shift toward customized approaches lets organizations meet a requirement’s objective through evidence other than the prescribed control — opening the door for behavioral evidence in lieu of completion-only awareness logs.
The 12.6.3.1 explicit call-out of phishing reflects what PCI SSC sees in actual breach data: the human path into the cardholder-data environment is now more common than the technical one.
Related terms
- SOC 2AICPA attestation framework based on five Trust Services Criteria — the de facto B2B SaaS sales gate for North American buyers.
- ISO/IEC 27001International standard for an Information Security Management System (ISMS) — the closest thing to a global certification mark for security.
- HIPAAUS federal law governing protected health information — the Security Rule explicitly mandates a security awareness and training program for the workforce.
- HDS (Hébergeur de Données de Santé)French certification, granted by ANS, that any organization hosting personal health data on behalf of a French controller must hold.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.