PCI DSS
The Payment Card Industry Data Security Standard requires every organization that processes, stores, or transmits cardholder data to maintain a formal security awareness program. Roleplays turns that requirement into measurable, engaging training.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard developed by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB. Currently in version 4.0.1, PCI DSS defines technical and operational requirements for protecting cardholder data throughout the payment lifecycle.
PCI DSS applies to any organization that accepts, processes, stores, or transmits credit card information. This includes merchants of all sizes, payment processors, acquirers, issuers, and service providers. In practice, this means call center agents who take card numbers over the phone, retail employees who process transactions, and IT teams who manage payment infrastructure are all in scope.
Non-compliance can result in fines ranging from $5,000 to $100,000 per month from card brands, increased transaction fees, loss of the ability to process card payments, and significant reputational damage following a breach. The standard is not optional — it is enforced through contractual obligations between merchants and their acquiring banks.
Who must comply
- Call centers handling payment card data
- Retail and e-commerce businesses
- Banks, fintechs, and payment processors
- SaaS providers in the payment ecosystem
Consequences of non-compliance
- Fines up to $100,000/month per card brand
- Increased transaction processing fees
- Revocation of card processing privileges
- Liability for fraudulent transactions post-breach
Training requirements
PCI DSS v4.0 Requirement 12.6 establishes mandatory security awareness training for all personnel with access to cardholder data environments.
Requirement 12.6 — Security Awareness Program
A formal security awareness program must be implemented to make all personnel aware of the cardholder data security policy and procedures. This goes beyond a simple policy document — organizations must actively educate employees on threats, proper data handling, and their individual responsibilities for protecting cardholder data.
What QSA auditors verify: That a documented program exists, is approved by management, and covers all personnel — not just IT staff. The program must address current threats and be tailored to the organization's specific cardholder data environment.
Requirement 12.6.1 — Formal Awareness Program
The security awareness program must be reviewed at least once every 12 months and updated as needed to address new threats and vulnerabilities. The program must include multiple methods of communicating awareness and educating personnel — for example, posters, letters, meetings, web-based training, or simulated phishing exercises.
What QSA auditors verify: Documentation showing the program was reviewed and updated within the past 12 months, with evidence of multiple communication channels used.
Requirement 12.6.2 — Annual Training
Personnel must receive security awareness training at least once every 12 months. New hires must complete training upon onboarding. This is a minimum frequency — organizations facing higher risk or with higher employee turnover should consider more frequent training cycles.
What QSA auditors verify: Training completion records for all in-scope personnel within the past 12 months, plus evidence that new hires received training before gaining access to cardholder data.
Requirement 12.6.3 — Employee Acknowledgment
Personnel must acknowledge at least once every 12 months that they have read and understood the security awareness policy and procedures. This requirement ensures employees are not passively enrolled but actively engage with the content. A simple checkbox is insufficient — the acknowledgment must demonstrate meaningful engagement.
What QSA auditors verify: Signed or electronically recorded acknowledgments from all in-scope personnel, dated within the past 12 months. Auditors look for evidence that acknowledgment is tied to actual training completion, not just a standalone signature.
How Roleplays helps
Replace slide decks with realistic simulations that test real behavior — then document everything your QSA needs.
PCI-specific scenarios
Pre-built simulations for the most common PCI failure modes: social engineering calls requesting card numbers, phishing emails targeting payment systems, tailgating into secure areas, and improper card data storage. Scenarios are updated as threat landscapes evolve, satisfying Req. 12.6.1's annual review mandate.
Data masking training
Train agents to never read back full card numbers, use proper masking techniques (showing only last four digits), and recognize when a caller is attempting to elicit more data than necessary. Simulated callers test whether agents follow masking protocols under pressure.
Agent behavior scoring
Multi-criteria AI evaluation scores each agent on security awareness, data handling compliance, social engineering resistance, and proper escalation procedures. Results map to specific PCI DSS requirements, providing the competency evidence QSA auditors expect beyond simple attendance records.
Compliance documentation
Every training session generates timestamped records including participant identification, training content, duration, evaluation scores, and completion status. Export compliance reports showing 100% of in-scope personnel trained within the 12-month window — exactly what Req. 12.6.2 demands.
Social engineering defense
Simulated attackers use real-world social engineering tactics: pretexting as IT support, urgency-based manipulation, authority impersonation, and multi-step pretexting attacks. Agents learn to recognize and resist these tactics in a safe environment before facing them in production.
Built-in acknowledgment
Completing a simulation is the acknowledgment. Unlike passive checkbox forms, each completed session proves the employee actively engaged with security content. Session completion records serve as Req. 12.6.3 acknowledgments, with full timestamps and performance data as evidence.
Frequently asked questions
Does Roleplays satisfy PCI DSS Requirement 12.6.2 for annual training?
Yes. The platform tracks training completion dates for every employee and generates reports showing compliance status across your organization. You can configure annual or more frequent training cycles, set up automatic reminders for upcoming deadlines, and export completion evidence in formats QSA auditors expect.
Can we create scenarios specific to our call center environment?
Absolutely. Beyond the pre-built PCI scenarios, you can create custom simulations that mirror your specific call flows, payment processes, and threat landscape. For example, simulate a caller asking an agent to read back their full card number for "verification," or a pretexting attack where someone impersonates your IT department.
How does the platform handle the Req. 12.6.3 acknowledgment requirement?
Every completed simulation serves as an active acknowledgment. Unlike a passive checkbox, completing a training session proves the employee engaged with the security content, understood the scenarios presented, and demonstrated competency through their responses. Session records include timestamps, duration, and performance scores — far stronger evidence than a signed form.
Is the training content updated as new threats emerge?
Yes. PCI DSS Req. 12.6.1 requires the security awareness program to be reviewed and updated at least annually. Roleplays continuously updates its scenario library to reflect current threats — vishing techniques, AI-powered social engineering, new phishing patterns. Your QSA can verify that training content reflects the current threat landscape.
Can Roleplays replace our existing security awareness training entirely?
Roleplays can serve as your primary PCI security awareness training tool, covering all Req. 12.6 sub-requirements. Many organizations use it alongside their existing LMS — Roleplays handles the interactive, simulation-based component while the LMS manages policy document distribution and tracking. The platform's API enables integration with most learning management systems.
Get compliant faster.
Replace annual slide decks with simulations that actually test security behavior. Meet every PCI DSS 12.6 sub-requirement with documented evidence.