PCI DSS v4.0 expanded the security awareness requirement at 12.6 relative to v3.2.1. The substantive changes are not enormous but the documentation expectations have tightened in ways worth flagging for customers in payments.
v4.0 requires a formal security awareness programme delivered to all personnel upon hire and at least annually thereafter, with specific topic coverage including phishing and social engineering. The annual requirement was implicit in v3.2.1; v4.0 makes it explicit.
Documentation expectations are now spelled out in detail. Each topic delivered in the programme must be documented with frequency, content summary, and acknowledgement evidence. Acknowledgement is a specific evidence requirement that catches some customers — a completion record without explicit acknowledgement that the employee understands the content is now insufficient in QSA assessments.
Customised approach (v4.0's flexibility provision) does allow alternative implementations, but the customised approach requires explicit risk assessment documentation that most customers find more demanding than just following the defined approach.
Operational implications for customers in payments: validate that your awareness programme delivers annually with explicit topic-coverage documentation, that completion includes explicit acknowledgement evidence, and that the topic list aligns with the v4.0-specific expectations (notably phishing and social engineering must be covered explicitly).
Our PCI DSS reporting covers Requirement 12.6 in the form QSAs expect to see; customers who have moved from competitor platforms have commonly cited this as material to the audit-evidence position.