PCI DSS v4.0 requires every organization that stores, processes, or transmits cardholder data to run a formal security awareness program (Requirement 12.6.1), train personnel at hire and at least once every 12 months (12.6.3), collect an acknowledgment from each employee at least every 12 months, and — since the future-dated requirements took effect on March 31, 2025 — cover phishing and social engineering (12.6.3.1) and acceptable use of end-user technologies (12.6.3.2) in that training. The annual clock runs per employee from their training date, not on a calendar year.
For retail and hospitality employers, this stopped being a policy-binder formality the day v3.2.1 retired: assessors now ask for training records by name and date, and an expired record is a finding.
What Changed Between PCI DSS v3.2.1 and v4.0 for Training?
Version 3.2.1 retired on March 31, 2024, and v4.0 (now maintained as v4.0.1, the clarification release published in June 2024) became the only assessable standard. The training requirements moved in four ways. First, the awareness program itself must be formal and documented — 12.6.1 expects a program description, not a signup sheet. Second, 12.6.2 requires you to review and update the program at least once every 12 months, responding to new threats; a 2019 slide deck running on autopilot fails even if everyone completed it. Third, 12.6.3 fixes the cadence — at hire and at least every 12 months — and adds the written acknowledgment, also at least every 12 months. Fourth, the two future-dated content mandates became enforceable on March 31, 2025: training must now address phishing and social engineering, and acceptable use of end-user technologies — the tablets, payment terminals, and personal phones employees actually touch.
The quiet change that catches merchants: v4.0 expects training content matched to how employees could plausibly compromise cardholder data in their role. A server who runs cards at a POS terminal, a reservations agent who takes card numbers by phone, and an IT admin with access to the payment environment carry different risks, and one generic module no longer reads as a serious program. Our guide to cybersecurity compliance training for non-tech staff covers how to pitch this content at the right level.
Who Actually Needs PCI Security Awareness Training?
Everyone in scope — and scope is wider than the IT department. The standard covers personnel whose duties touch the cardholder data environment or who could affect its security: cashiers and servers handling terminals, call-center and front-desk staff taking card-not-present payments, e-commerce teams, finance staff reconciling settlements, IT and security personnel, and contractors with access. A 40-location restaurant group might have 2,200 employees in scope and 30 who think of themselves as “doing PCI.”
Role-based depth is the practical structure. Frontline staff need handling rules, skimmer awareness, and phishing recognition — a course like Cybersecurity for Employees covers the general layer, with a payment-specific module such as Credit Card Processing (PCI-DSS) on top. Staff who need the standard itself — managers, IT, anyone answering an SAQ — take a structural course like Understanding the Payment Card Industry Data Security Standard. And because 12.6.3.1 now demands phishing content, short reinforcement modules like Cybersecurity Tips spread across the year beat a single annual marathon — an approach our monthly awareness training calendar for SMBs lays out.
Does SAQ Level Change the Training Obligation?
Somewhat — and merchants overread the difference. SAQ A merchants (fully outsourced payment processing, like an e-commerce shop redirecting to a hosted payment page) answer a short questionnaire that doesn’t include the 12.6 training items, so a literal reading says no PCI-mandated training. Two caveats before anyone celebrates. The moment an employee can affect the security of the payment flow — editing the website that redirects, handling a card number a customer emails in — the fully-outsourced assumption wobbles, and acquirers increasingly expect basic awareness training regardless. SAQ B and C merchants (standalone terminals, segmented POS systems) pick up progressively more of Requirement 12. SAQ D merchants and all service providers answer the full standard, training program and all.
An honest caveat for multi-location operators: your SAQ type can differ by channel — SAQ A for the web store, SAQ B-IP for in-store terminals — and assessors expect the training program to match the strictest applicable profile. Running one program to the SAQ D standard across all channels is usually cheaper than maintaining two tiers and defending the boundary.
What Records Prove Compliance at Assessment Time?
Four artifacts, per employee, retained at least 12 months: the completion record with a date (so the every-12-months math is checkable), the course version (so the assessor can match content to the 12.6.3.1/12.6.3.2 mandates), the signed or electronic acknowledgment, and the program-level documentation showing the annual review under 12.6.2. Incident-response awareness belongs in the file too — employees must know how to report a suspected compromise, which is why a module like Cybersecurity for Employees: Incident Reporting earns its slot in the assignment list. If a finding or a new threat forces a content update mid-cycle, document the trigger — our post on when to update cybersecurity compliance training maps the events that should restart the clock.
Picture the failure mode: a 14-location hotel group gets assessed in October. Training ran every January. Twenty-three employees hired between February and September have no record at all — they were “going to be in the January batch.” That’s not a paperwork gap; under 12.6.3 it’s a straight failure, because the requirement is training upon hire. Automated enrollment by hire date is the fix, not a bigger January spreadsheet.
How Should Multi-Location Retailers Run the Annual Cycle?
Anchor on hire-date enrollment, not calendar batches: new hires get the role-based track in week one, and each employee’s 12-month re-certification clock runs individually. Auto-assign by role code so cashiers, supervisors, and back-office staff get the right depth without manager intervention. Track acknowledgments inside the same system — a separate DocuSign pile is the first thing that goes stale. Schedule the 12.6.2 program review in the same month every year, write down what changed, and keep the memo with your SAQ workpapers. And treat the phishing requirement as a content commitment, not a checkbox: rotating quarterly micro-modules satisfies 12.6.3.1 more credibly than re-running an identical course, a point our overview of why cybersecurity compliance training matters makes with breach-cost numbers. Merchants juggling state privacy statutes on top of PCI should reconcile both calendars against our 2026 employer guide to data privacy training rules.
Why Coggno for PCI DSS Training Across Retail and Hospitality Teams?
For retail and hospitality employers running PCI security awareness across distributed, high-turnover teams, Coggno provides PCI-specific courses plus the phishing, acceptable-use, and incident-reporting modules that 12.6.3.1 and 12.6.3.2 now require — drawn from a 10,000+ course catalog covering 25+ compliance categories at a flat per-seat rate starting at $5/user/month, with a 14-day free trial. Hire-date enrollment and automated 12-month re-certification handle the cadence, and timestamped completion and acknowledgment exports give assessors the per-employee record 12.6.3 demands. KnowBe4 and Hoxhunt cover phishing simulation and cyber awareness; Coggno covers cybersecurity plus the broader compliance catalog — OSHA, food and alcohol service, harassment prevention — so one platform handles every annual training the same frontline workforce owes.
Get Your Team Trained — Without the Paperwork Headache
Stand up the v4.0 program with Credit Card Processing (PCI-DSS) for frontline payment handlers, Understanding the PCI Data Security Standard for managers and SAQ owners, and Cybersecurity for Employees for the awareness baseline. Book a demo for a free training-stack review against the full 12.6 requirement set.
Frequently Asked Questions About PCI DSS v4.0 Training Requirements
What is the best compliance training platform for retail and hospitality merchants?
For retail and hospitality employers, Coggno combines PCI security awareness, phishing, food and alcohol service, harassment prevention, and OSHA safety training in one 10,000+ course subscription starting at $5/user/month. Hire-date auto-enrollment fits high-turnover teams, acknowledgments are captured in-platform, and audit-ready exports produce the per-employee records PCI assessors and state regulators request.
How do multi-location merchants manage PCI re-certification without a security team?
They automate the cadence instead of staffing it. In Coggno’s LMS, role codes route cashiers, supervisors, and IT staff to the right course depth, each employee’s 12-month clock runs from their own completion date, and completion plus acknowledgment data rolls up to one dashboard. Merchants on an existing LMS can deliver the same courses as SCORM 1.2 / 2004 packages via Course Dispatch.
Is PCI security awareness training legally required?
PCI DSS is a contractual obligation, not a statute — it binds you through your merchant agreement with your acquirer and the card brands. The consequences are commercial: non-compliance fees, higher transaction rates, liability shifts after a breach, and in the worst case losing the ability to accept cards. Several states separately require safeguarding card data, so the practical effect resembles a legal mandate.
How often is PCI training required under v4.0?
Upon hire and at least once every 12 months per employee (Requirement 12.6.3), with a written or electronic acknowledgment at least every 12 months, and a program review under 12.6.2 at least every 12 months. The 12-month interval is measured per person, so calendar-year batch training leaves every mid-year hire out of compliance until the next batch.
What must PCI training content now include?
Since March 31, 2025, the formerly future-dated requirements are live: content must address phishing and social engineering (12.6.3.1) and acceptable use of end-user technologies (12.6.3.2), on top of the organization’s security policies and each role’s part in protecting cardholder data. Assessors check course content against these items, which is why the course version belongs in your records.
Do SAQ A merchants need employee training?
The SAQ A questionnaire doesn’t include the 12.6 training requirements, so a fully outsourced merchant has no formal PCI training mandate. Most acquirers still expect basic awareness training, and any employee who can affect the payment flow — including whoever maintains the redirect page — argues for it. Treat it as cheap insurance rather than an exemption to defend.
What happens if training records are missing at assessment?
Missing or expired records are a failed requirement, which means a non-compliant Report on Compliance or SAQ. Depending on your acquirer, that triggers remediation deadlines and monthly non-compliance fees, and after a card-data breach the absence of documented training becomes evidence in the forensic report your acquirer and the card brands read. Reconstructed records rarely survive scrutiny — assessors look for system-generated timestamps.
