PCI DSS 6.2.2: Secure Coding Training for Development Teams
PCI DSS 6.2.2 mandates that all software development personnel complete secure coding training at least once every 12 months. This control directly reduces vulnerabilities introduced during the development lifecycle, protecting cardholder data from code-level exploits. Staying current with secure coding practices is essential for any organization processing payment cards.
What this means
This control requires your organization to establish and maintain a formal training program in secure coding techniques for all developers. Training must occur at minimum annually and cover industry-recognized secure coding practices relevant to your development environment. The goal is to ensure developers understand common vulnerabilities, secure design principles, and how to write code that resists attack.
How to comply
- 1.Identify all personnel involved in software development, including contractors and third-party developers
- 2.Select or develop secure coding training curriculum covering OWASP Top 10, injection flaws, authentication bypasses, and framework-specific vulnerabilities
- 3.Schedule and conduct mandatory training sessions annually for all development staff
- 4.Document training completion with attendance records, dates, and training content covered
- 5.Track training expiration dates and send reminders 30 days before annual training is due
- 6.Update training materials annually to reflect newly discovered vulnerabilities and evolving threats
- 7.Maintain records of all training sessions, attendees, and assessment results for audits
Evidence auditors look for
- Signed training completion certificates or attestations dated within the past 12 months
- Training curriculum documentation showing secure coding topics covered
- Training attendance logs with developer names, dates, and duration
- Email records showing annual training reminders sent to development teams
- Quiz or assessment results demonstrating comprehension of secure coding principles
- Third-party training provider certificates (e.g., SANS, Pluralsight, Udemy secure coding courses)
- Internal training schedules and calendars with upcoming sessions
- Policy documentation requiring annual secure coding training and defining consequences for non-compliance
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks developer training due dates, sends renewal reminders, and maintains a centralized repository of training records and certifications—eliminating manual spreadsheets and audit prep delays for PCI DSS 6.2.2 compliance.
See how GRCWatch handles this control automatically
Start free trial