A3.1.4 Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).

Defined Approach Requirements

A3.1.4 Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).

PCI DSS Reference: Requirement 12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.1.4.a Examine information security policies and procedures to verify that PCI DSS and/or information security training is required at least once every 12 months for each role with PCI DSS compliance responsibilities.

A3.1.4.b Interview personnel and examine certificates of attendance or other records to verify that personnel with PCI DSS compliance responsibility receive up-to-date PCI DSS and/or similar information security training at least once every 12 months.

Purpose

Personnel responsible for PCI DSS compliance have specific training needs exceeding that which is typically provided by general security awareness training to enable them to perform their role.

Good Practice

Individuals with PCI DSS compliance responsibilities should receive specialized training that, in addition to a general awareness of information security, focuses on specific security topics, skills, processes, or methodologies that must be followed for those individuals to perform their compliance responsibilities effectively.

Training may be offered by third parties such as the PCI SSC (for example, PCI Awareness, PCIP, and ISA), payment brands, and acquirers, or training may be internal. Training content should be applicable for the individual's job function, be current, and include the latest security threats and/or version of PCI DSS.

Further Information

For additional guidance, refer to Information Supplement: Best Practices for Implementing a Security Awareness Program.