This article has been updated (March 2026).
With human error contributing to the majority of data breaches, PCI training has never been more critical. PCI DSS version 4.0 introduces enhanced awareness and training requirements to help organizations better protect their payment card data and meet compliance obligations. This comprehensive PCI training guidance explains what teams must know, whom to train, and how the new version affects your security awareness programs.
In DSS v4.0, organizations need to enforce a more formal security awareness program for their payment card merchants. The training program should address specific threats and vulnerabilities within the merchant environments (i.e., specific to how they are taking payments).
For example, front-end cashiers should be aware of the risks surrounding skimming devices on card terminals and be cautious before allowing third-party support personnel access to devices or secure areas. If employees are at risk for phishing and exposing credentials or information that can lead to potential data compromise, the training should cover common phishing and social engineering attacks, and where and how to report a suspected email attack.
What Is PCI Training & Why It Matters
PCI training refers to structured education designed to help staff understand Payment Card Industry Data Security Standard (PCI DSS) requirements, how cardholder data must be protected, and how everyday actions impact compliance and risk. Effective PCI training covers secure payment handling, recognizing phishing and social engineering threats, acceptable technology usage, and the consequences of non-compliance.
Training must be tailored to roles, from frontline merchants to IT teams, and updated at least annually to reflect the latest PCI DSS version 4.0 expectations.
PCI DSS Training for Remote Employees
Many organizations are now also operating hybrid environments and may have staff taking payments from home over the phone or on personal devices. Addressing risks surrounding mobile and remote offices will be critical. IBM’s Cost of a Data Breach Report 2022 revealed that when remote working was a factor in causing a breach, the costs were, on average, nearly $1 million greater than in breaches where remote environments were not a factor.
Training should address necessary security controls for remote work environments (i.e., can employees use personal devices? If employees are taking a payment over the phone, can a personal cell phone be used? Can they use VoIP clients like Jabber or others? Should they be writing down cardholder information on paper forms and bringing it back to the office to process?). Having hybrid or multiple payment environments opens up additional vulnerabilities and exposures to compromise.
PCI Training for Review of Acceptable Use of End-User Technologies
DSS version 4.0 also requires training to review acceptable use of end-user technologies, so employees should be receiving information on how they should be accessing and using workstations, laptops, mobile devices, etc., and understand the consequences for not adhering to acceptable use policies. Training should address not only appropriate usage, but also review what can happen if an employee does not follow policy. Many times, employees will find a workaround or sidestep policy to complete a task more quickly or help a customer, and may not realize how their actions can lead to non-compliance and/or data compromise.
Review PCI DSS Training Annually
Organizations are now required to review and update (as needed) the security awareness program at least annually. This requirement is a best practice until 31 March 2025, but we would recommend ensuring that your staff training has been reviewed so employees are receiving up-to-date information and understand their role in protecting the cardholder data environment. It is also important to update ongoing training so staff are engaged and do not view the training as a burden, but rather a tool to help them better perform their job responsibilities and protect customer information.
Review our recent article on what a comprehensive PCI training program should address and who should participate. As we look ahead to National Cybersecurity Awareness Month in October, your teams can also identify ways to continue to engage merchants and improve awareness with ongoing training opportunities, tools, lessons learned, and alerts.
Start Stronger PCI Training Today
Ready to strengthen your organization’s payment security and meet PCI DSS training requirements? Explore CampusGuard’s PCI training courses designed for merchants, IT teams, and executives, helping you meet PCI DSS training expectations and protect your cardholder data environment. Request a free demo or get started today!
