Does PCI DSS 4.0 require phishing simulation testing?

PCI DSS 4.0 Requirement 12.6.3 requires personnel to receive security awareness training that addresses threats to the cardholder data environment, with phishing identified as a named threat. While the standard does not literally use the phrase 'simulated phishing campaign,' QSAs in 2026 routinely treat ongoing simulated phishing as the practical evidence that a program exists, is current and is producing measurable behavioral outcomes. Merchants relying solely on annual computer-based training increasingly receive findings.

How often does PCI DSS require security awareness training?

Requirement 12.6.2 calls for awareness training upon hire and at least once every 12 months. However, the same requirement obliges organizations to update materials in response to changes to the cardholder data environment and the threat landscape, which in 2026 effectively means continuous reinforcement. Best practice for PCI-scoped environments is monthly or quarterly phishing simulations layered on top of annual training.

Who must complete PCI DSS phishing training?

All personnel with access to system components, the cardholder data environment or sensitive authentication data must receive training. That includes full-time employees, part-time staff, contractors and in many cases relevant third-party service-provider personnel covered by your shared-responsibility matrix. Carving out executives or IT staff is not permitted and is one of the more common findings during a Report on Compliance assessment.

What evidence will my QSA want to see for phishing training?

Assessors typically request training content samples, the awareness program policy, attendance and completion records tied to specific personnel, phishing simulation campaign reports with click-through and remediation rates and acknowledgment records signed by personnel. Documented evidence that failed users received targeted remediation training is increasingly expected even though it is not explicitly enumerated in the standard.

Is annual computer-based training enough to satisfy PCI DSS 4.0?

It is technically possible to pass an assessment with annual training alone, but it is no longer considered sufficient by most QSAs interpreting Requirement 12.6 in 2026. The standard expects materials to be current with the threat landscape and the program to address phishing specifically. Without simulation evidence, assessors have no reliable way to verify that the awareness program changed any actual behavior.

PCI DSS 4.0 Phishing Training: What's Required in 2026

The transition deadline for PCI DSS v4.0 has passed, every previously "future-dated" requirement is now active and QSAs are writing reports against the full standard. For merchants and service providers handling cardholder data, the most operationally awkward section is the security awareness program described in Requirement 12.6 - not because it is technically complex, but because the bar for evidence is significantly higher than it was under v3.2.1.

This post is a practical walkthrough of what Requirement 12.6 actually says about phishing, what your QSA will want to see during the on-site portion of your Report on Compliance and how to operate a program that produces clean evidence without grinding your security team into dust.

What Requirement 12.6 says about phishing

Requirement 12.6 is broken into sub-requirements that, together, describe a complete security awareness program. The pieces most directly relevant to phishing are:

12.6.1 - A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures and their role in protecting the cardholder data environment.
12.6.2 - Awareness training is reviewed at least once every 12 months and updated to address any new threats and vulnerabilities that may impact the security of the cardholder data environment, or the information being provided to personnel about their role in protecting cardholder data.
12.6.3 - Personnel receive security awareness training upon hire and at least once every 12 months, and the materials cover specific threat types - phishing and related attacks and social engineering - that the entity faces.

The PCI Security Standards Council's published guidance on 12.6 (available on pcisecuritystandards.org) makes clear that the goal is behavioral: personnel should be able to recognize and respond appropriately to threats they actually encounter. That intent is what your QSA will be measuring you against.

Why phishing simulations are now table-stakes evidence

The standard does not literally mandate "simulated phishing campaigns." It mandates a program that addresses phishing as a named threat and that produces evidence the program is doing its job. In practice, three forces have made simulation the default evidence form:

Verifiability. A QSA cannot grade behavior from a slide deck. They can grade behavior from a campaign report showing 412 users targeted, 38 clicked, 38 completed remediation training within 7 days.
Threat-landscape currency. 12.6.2 requires materials to keep pace with new threats. Phishing simulation programs are inherently current because the templates change with the threat landscape - AI-generated lures, MFA-bypass campaigns, QR-code (quishing) attempts, smishing and vishing.
Cross-framework reuse. The same evidence satisfies SOC 2 CC1.4 and CC2.2, ISO 27001 A.6.3, NIST CSF PR.AT, and the awareness sub-controls in HIPAA and GLBA. PCI assessors are increasingly willing to accept the same artifacts.

If you are running annual computer-based training and nothing else, you are not technically out of compliance - but you are operating well below the modal merchant in your peer cohort and assessors are not shy about saying so in their notes.

What your QSA will request

Expect document requests in roughly this order during the assessment fieldwork:

The written security awareness program policy with version history and management approval.
A list of all personnel with access to the cardholder data environment, including contractors and third parties subject to your scope.
Training completion records tied to those personnel, with dates and content version.
Sample training content covering phishing, social engineering and any other named threats.
Phishing simulation campaign reports for the assessment window, including target lists, send dates, click-through rates and remediation outcomes.
Evidence of remediation for users who clicked - typically auto-assigned remediation training with completion timestamps.
Acknowledgment records (signed or attested) showing personnel reviewed policies and completed training.

The single most common finding in this area is a mismatch between the policy and the practice: the policy says the program runs quarterly, but the campaign log shows a 9-month gap. Treat your written policy as an operational specification, not a marketing document.

Frequency: what auditors actually expect

Requirement 12.6.3 sets the floor at "upon hire and once every 12 months." That is the minimum a QSA will accept as a clean pass on the requirement itself. In practice, assessors interpret 12.6.2's "review and update" obligation as expecting more frequent reinforcement - particularly for phishing, given how quickly the threat surface shifts.

The pattern that consistently produces the cleanest assessor experience is:

Annual structured training (the "12.6.3 floor") delivered to all in-scope personnel.
Monthly or quarterly phishing simulations spanning all five common attack categories - credential harvest, attachment-based malware, BEC/wire-fraud, link-based info theft and account-spoof prompts.
Auto-assigned remediation training the moment a user clicks or submits credentials in a simulation, with a target completion window of 7 days.
Quarterly written program review, with notes on threat updates and template changes.

Three difficulty tiers - easy, regular and hard - let you demonstrate you are not just running the same softball template every month and reporting low click rates as if they meant something.

Multi-channel coverage and PCI scope

2026 phishing is multi-channel. Attackers contact merchant employees by SMS pretending to be IT, by phone pretending to be a payment processor and by collaboration tools pretending to be a vendor. Your QSA may not yet ask you to demonstrate smishing and vishing simulation coverage by name, but the threats they reference under 12.6.2 already include both. Programs that include multi-channel testing produce noticeably stronger evidence on the threat-landscape sub-requirement.

Common findings in 2026 PCI DSS assessments

Stale content. Training that does not reference threats from the past 12 months reads as a control that has not been reviewed.
Coverage gaps. A handful of unassigned contractors or seasonal staff with CDE access, often missed because they are managed in a different HR system.
Phantom remediation. Records of who clicked, with no records of follow-up training.
Executive carve-outs. Senior leadership exempted from simulations for political reasons. CISA and most QSAs treat this as a structural finding because executive accounts are the highest-value targets.
No measurement. Awareness program in place, click rates not tracked. The standard expects "review and update" - review without measurement is impossible.

Mapping 12.6 evidence to other PCI requirements

Phishing simulation evidence does work beyond Requirement 12 itself. Several other PCI DSS 4.0 requirements benefit from awareness-program artifacts:

Requirement 5 (Protect All Systems and Networks from Malicious Software). Awareness training addressing attachment-based phishing complements the technical anti-malware controls.
Requirement 8 (Identify Users and Authenticate Access). Credential-harvest phishing simulations reinforce 8.x authentication awareness, particularly around MFA-fatigue and prompt-bombing scenarios.
Requirement 9 (Restrict Physical Access). Vishing campaigns testing the willingness of personnel to grant physical or logical access to callers claiming to be IT, vendors or auditors.
Requirement 12.10 (Incident Response Plan). User-reported phishing exercises the incident response process continuously, generating evidence of operational readiness rather than tabletop-only preparation.

One well-instrumented program produces evidence touching at least four major PCI requirement domains. That is part of why QSAs increasingly treat the absence of simulation as a structural weakness - the same artifacts close several requirements at once.

Service-provider expectations and shared responsibility

If you are a PCI service provider - a payment processor, a card-data tokenization vendor, a hosting provider for in-scope environments - your customers will request your awareness-program evidence as part of their own assessments. The PCI DSS shared-responsibility matrix typically allocates personnel awareness to the service provider for in-scope staff. A clean export that you can share under NDA with multiple customers reduces the friction enormously and is increasingly a sales-cycle accelerant for service providers competing on assurance.

The same export also serves SOC 2 and ISO 27001 audiences, so the evidence work is amortized across multiple frameworks.

How a phishing simulation platform produces 12.6 evidence

A modern simulation platform should produce, with no manual intervention, every artifact your QSA will request. Bait & Phish is built specifically for this - five template intent categories crossed with three difficulty levels, automatic remediation training assigned the moment a user clicks and exportable PDF and CSV reports formatted around the questions a QSA actually asks. SMS phishing, voice phishing and AI-generated email lures are first-class campaign types alongside traditional phishing.

If you're working through your first PCI DSS 4.0 cycle and want to see how a continuous program looks in practice, spin up a free trial for up to 25 users and run a campaign this week - the resulting report is structured the same way the platform produces evidence for paying customers, so you can show it to your QSA or your own internal compliance team. Pricing for the full deployment is on the pricing page, and the team is happy to walk through the requirement-by-requirement mapping with your security lead.

For broader carrier and audit context, our companion guide on what cyber insurers ask about phishing training covers the overlapping evidence cyber insurance underwriters now expect at renewal - the same artifacts often satisfy both audiences.

See also: Phishing training compliance comparison across SOC 2, HIPAA, PCI DSS, NIST CSF, ISO 27001, GDPR and NIS2 - side-by-side table of clauses, expected cadence and audit posture.

This post is informational and not a substitute for guidance from a Qualified Security Assessor. Specific control interpretations vary by environment and assessor.

Related compliance guides

21oct