PCI DSS 12.6.3: Mandatory Security Awareness Training on Hire and Annually
PCI DSS 12.6.3 mandates that all personnel receive security awareness training upon hire and at minimum once every 12 months. This foundational control reduces human error—the leading cause of data breaches—and ensures your team understands their role in protecting cardholder data throughout the year.
What this means
This control requires your organization to establish and enforce a security awareness training program that reaches every employee on day one and maintains engagement through annual refresher sessions. The training must cover security policies, procedures, and best practices relevant to their role. Personnel includes all staff—full-time, part-time, temporary, and contractors—with access to cardholder data environments or systems.
How to comply
- 1.Develop documented security awareness training curriculum covering PCI DSS requirements, data protection policies, and role-specific responsibilities
- 2.Deliver training materials to all personnel within 30 days of hire or role assignment
- 3.Conduct annual refresher training for all employees, documented with dates and attendance records
- 4.Customize training content by job function—e.g., developers, helpdesk, accountants—to address relevant threats
- 5.Implement sign-off or assessment mechanism proving understanding and acknowledgment
- 6.Track and maintain evidence of training completion for audit periods
- 7.Update training materials when policies change or new threats emerge
Evidence auditors look for
- Employee onboarding training records with completion dates and sign-offs
- Annual security awareness training attendance logs or LMS enrollment records
- Training curriculum documentation and presentation materials
- Role-specific training modules tailored to job functions
- Post-training assessments or quizzes demonstrating comprehension
- Training acknowledgment forms signed by employees
- Updated training materials reflecting policy changes or incident learnings
- Third-party training vendor certificates for outsourced programs
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates training assignment based on hire date and role, tracks completion deadlines, generates audit-ready attendance reports, and alerts you before the 12-month window expires—eliminating manual tracking and compliance gaps.
See how GRCWatch handles this control automatically
Start free trial