Security Awareness Program

PCI DSS 4.0.1 Requirement 12.6.1 requires a formal security awareness program that makes all personnel aware of your information security policies and procedures, and what they must do to protect cardholder data. To operationalize it fast, define scope and audience, assign ownership, publish training content, enforce completion, and retain auditable proof that it runs continuously. ¹

Key takeaways:

• “All personnel” means everyone whose actions can affect the cardholder data environment (CDE), including contractors and relevant third-party staff, not just IT. ¹
• Auditors test operation, not intent: you need training assignments, completion evidence, policy attestations, and exception handling records. ¹
• A lightweight program fails when it is outdated, unapproved, or inconsistently applied across teams; treat it as an owned control with a lifecycle. ¹

A security awareness program is one of the fastest ways assessors separate “paper compliance” from a control that actually reduces payment security risk. PCI DSS makes this a named requirement because people handle the workflows that create exposure: customer support handling payments, engineers pushing code that touches payment pages, finance teams reconciling transactions, and operations teams administering systems that connect to the CDE.

For a CCO or GRC lead, the operational challenge is rarely “do we have training?” It’s scope, consistency, and evidence. Who is “all personnel”? Who gets which content? How do you prove completion and understanding? What happens when training lapses, new hires onboard, or a third party has access to systems that affect cardholder data security?

This page translates PCI DSS 4.0.1 Requirement 12.6.1 into an implementation checklist you can stand up quickly, then defend during a PCI assessment. It is written to help you design the program, embed it into onboarding and role-based processes, and retain the artifacts you will be asked for. ¹

Regulatory text

Requirement (excerpt): “A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data.” ¹

What the operator must do

• Implement a program (not an ad hoc training link) with defined ownership, content, audience, delivery method, and a repeatable operating cadence. ¹
• Cover your information security policies and procedures in a way that maps to real job actions, so personnel understand what “following policy” means in practice. ¹
• Make it apply to all personnel whose actions can impact cardholder data, including non-technical roles and relevant contractors/temporary staff. ¹

Plain-English interpretation (what this requirement really means)

You must run an ongoing security awareness program that (1) reaches everyone who can affect cardholder data security, (2) teaches them the policies and procedures they are expected to follow, and (3) makes their responsibilities explicit. A “one-time annual slide deck” without tracking, approvals, and role relevance often fails assessor scrutiny because you cannot show consistent operation. ¹

Who it applies to

In-scope entities

• Merchants that store, process, or transmit payment card account data. ¹
• Service providers and payment processors whose people, processes, or systems can affect the security of the cardholder data environment. ¹

Operational contexts that routinely trigger scrutiny

• Mixed workforces: employees + contractors + temporary staff supporting payment operations. ¹
• Distributed teams with access to systems that touch CDE connectivity (IT ops, cloud, endpoint admin, helpdesk). ¹
• Product and engineering teams shipping changes that affect payment pages, checkout flows, or integrations. ¹

What you actually need to do (step-by-step)

1) Name the control owner and governance

• Assign an executive sponsor (often CISO/Head of Security) and an operational owner (GRC, Security Awareness lead, or HR/L&D with security sign-off).
• Write a short Security Awareness Program Standard: purpose, audience, training/attestation expectations, exceptions process, evidence retention, and review cadence.
• Ensure the document is approved and version-controlled so you can prove it is current and authoritative. ¹

2) Define “all personnel” with a scoping rule you can defend

Create a roster rule that ties to real access and job function. Common approaches:

• Access-based scope: anyone with access to CDE systems, CDE-connected systems, payment admin tools, or production environments that can affect payment flows.
• Role-based scope: customer support taking payments, finance and chargebacks, developers touching checkout, IT admins, incident responders.
• Third party scope: contractors and third-party personnel performing in-scope functions under your direction.

Document the rule and how you generate the list (HRIS export, IAM groups, ticketing queues, contractor onboarding lists). Assessors want repeatability. ¹

3) Map required content to policies and procedures people actually follow

Build training content around “what you do at work,” anchored to your security policies and procedures:

• Handling payment data and what is prohibited (storage, copying, sharing).
• Acceptable use, remote access expectations, authentication hygiene, and reporting security events.
• Role responsibilities: developers (secure change practices), support (verification and scripts), IT (admin safeguards), managers (enforcement and escalation).

Keep a mapping table: Policy/Procedure → Training module → Audience. This one artifact reduces audit churn. ¹

4) Decide delivery mechanisms and enforcement points

A program usually combines:

• Onboarding training assigned at hire/contract start.
• Periodic refresher training assigned on a recurring cadence you set.
• Targeted training after policy changes, major incidents, or role transfers.

Enforce completion through HR and access workflows:

• Training assignment auto-triggers from HRIS.
• Conditional access or admin entitlement approval requires completion proof.
• Managers receive overdue lists; exceptions require documented approval. ¹

5) Track completion and manage exceptions

Minimum operational loop:

1. Assign training to your scoped roster.
2. Monitor completion and overdue items.
3. Escalate overdue items to managers.
4. Record exceptions with risk acceptance, compensating steps, and end date.

A common assessor “hangup” is unmanaged exceptions: people are overdue, but nobody can show decisions, escalation, or remediation. ¹

6) Prove the program is “formal”: approval + operation artifacts

Two controls consistently reduce findings:

• Publish approved policies and procedures for the security awareness program (owner, review cadence, approval history, and covered personnel). ¹
• Retain version history, approvals, and operating artifacts that show it is used in day-to-day work. ¹

If you run the program in a GRC tool (including Daydream), use it to bind together: the governing document, audience definition, training assignments, completion exports, and exception tickets. Assessors respond well to a single evidence pack per requirement with consistent timestamps and ownership.

Required evidence and artifacts to retain (audit-ready list)

Retain artifacts that show design and operation:

• Security Awareness Program policy/standard with owner, approvals, and version history. ¹
• Training content library (modules, last updated date, change log).
• Audience definition and roster generation method (HR/IAM query logic, group lists).
• Assignment records (who was assigned what, when).
• Completion records (completion dates, scores if applicable, attestations).
• New hire/contractor onboarding checklist showing training assignment.
• Exception register (overdue items, approved exceptions, remediation steps).
• Communications artifacts (security bulletins, policy change announcements) when they are part of your program.

Common exam/audit questions and hangups

Assessors and internal audit typically ask:

• “Show me the written program and who approved it.” ¹
• “Who is ‘all personnel’ for your environment, and how do you ensure nobody is missed?” ¹
• “How do you ensure contractors and temporary staff complete training?” ¹
• “Provide a completion report and explain exceptions.” ¹
• “What changed since the last review, and how did you update training accordingly?” ¹

Hangups that cause delays:

• No clean join between HR roster and training platform identities.
• Different business units using different training, with inconsistent tracking.
• Training exists but does not reference your actual policies/procedures.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Treating awareness as a once-per-year activity	Hard to show it’s a “program” with lifecycle and ownership	Publish a program standard, define cadence, and retain ongoing records. 1
“All personnel” interpreted as “all employees” or “only IT” with no rationale	Assessors expect a defensible scope tied to CDE impact	Write a scoping rule and show how rosters are generated and validated. 1
No exception handling	Overdue training becomes an uncontrolled gap	Create an exception register with approvals and closure tracking. 1
Training content not linked to policies/procedures	Fails the “aware of policy and procedures” test	Maintain a mapping: policy/procedure → module → audience. 1
No version history or approvals	You cannot prove what was in force at a point in time	Use version control and approval workflows; keep prior versions. 1

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page focuses on assessment risk. Practically, weak security awareness programs create two problems: (1) preventable human errors that expose cardholder data, and (2) assessment findings because you cannot show consistent operation or defined standards across the organization. PCI teams frequently discover the gap late because training data is spread across HR, IT, and business units without a single evidence pack. ¹

Practical 30/60/90-day execution plan

First 30 days (stand up the control)

• Assign owner, sponsor, and approver chain.
• Publish the Security Awareness Program standard with scope rules and evidence requirements. ¹
• Define your “all personnel” roster method and generate the first list.
• Inventory current training content; identify gaps against your security policies and procedures. ¹

By 60 days (operate and prove)

• Launch training assignments for in-scope personnel; include onboarding triggers.
• Stand up reporting: completion status, overdue, exceptions.
• Start an exception register and escalation workflow.
• Produce a first “audit pack” export: policy approvals + roster + completion report + exceptions.

By 90 days (stabilize and make it repeatable)

• Run a second reporting cycle and close the loop on overdue items.
• Update content where policy/procedure changes occurred; document changes and approvals. ¹
• Validate roster completeness against IAM/admin groups and contractor lists.
• If you use Daydream, centralize evidence artifacts and automate reminders so the control stays current without manual chasing.

Frequently Asked Questions

Does “all personnel” include contractors and third-party staff?

Yes, if their work can affect the security of cardholder data or the cardholder data environment, they must be covered by the program scope you define and can defend. Your evidence should show how you identify them and track completion. ¹

What’s the minimum content PCI expects in security awareness training?

The requirement is outcome-based: personnel must be aware of your information security policy and procedures and their role in protecting cardholder data. Build modules that directly map to those policies and procedures for each audience. ¹

Can we meet the requirement with a signed policy acknowledgment instead of training?

Acknowledgments help, but the requirement calls for a formal awareness program that makes people aware of policies, procedures, and their role. Most teams use both training and attestations so they can show understanding plus acceptance. ¹

How do we handle personnel who miss training deadlines?

Treat misses as exceptions: document escalation, manager accountability, compensating controls (if any), and closure dates. An unmanaged overdue list is a common assessment failure point. ¹

What evidence is most persuasive to an assessor?

A single evidence pack that ties together the approved program document, the scoped roster, the training assignments, completion exports, and an exception register. Version history and approvals matter because they prove formality and continuity. ¹

Our training platform is separate from HR and IAM. Is that a problem?

It becomes a problem if you cannot prove completeness. Fix it with a documented roster process (HRIS/IAM export), identity matching rules, and a recurring reconciliation step that you retain as evidence. ¹

What you actually need to do

Use the cited implementation guidance when translating the requirement into day-to-day operating steps. ²

Footnotes

1. PCI DSS v4.0.1 Requirement 12.6.1

2. Just Published: PCI DSS v4.0.1