PCI Security Awareness Training Requirements Simplified

By Doug Hall ·

Recent high profile data breaches have much of the country keeping a closer eye on their bank statements and wondering how such a thing could happen. The events have resonated throughout the entire industry and changes in the Payment Card Industry Data Security Standards (PCI DSS) are almost a sure thing.

In some cases, businesses see PCI compliance as just another industry buzzword or an opportunity for another hidden fee, but the reality is the security of PCI data is something important that you need to pay close attention.

Certainly a well-defined security policy is necessary. And your own quarterly audits can ensure your security posture hasn’t changed. But one often overlooked or misunderstood aspect of PCI requirements is training.

The following table outlines where training is identified in the latest version of the PCI DSS.


Address common coding vulnerabilities in software-development processes as follows:

  • Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.


Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:

  • Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
  • Be aware of suspicious behavior around devices.
  • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel.


Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.


Educate personnel upon hire and at least annually.


Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.


Provide appropriate training to staff with security breach response responsibilities.