Avoid Paying For PCI Certification You Don’t Need
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Retailers these days have far fewer PCI training options open to them. About the only game in town anymore for detailed PCI standards training is the PCI Council itself. But be sure to choose your program carefully. Unless you are an L2 merchant who plans to self-assess, you could find yourself overpaying for a certification that you don’t need.
With its most recent announcement, the PCI Council is now offering merchant training in two flavors: PCI Standards Training, which is open to every merchant, and the new PCI Internal Security Assessor (ISA) Training, which is aimed at Level 2 merchants who want to continue using a Self-Assessment Questionnaire (SAQ). The two questions for retail CIOs are:
- Which program is right for your organization?
- How do you maximize the return on your training investment?
If you are looking for PCI training, then what better source could there be than the PCI Council itself? In the past, Visa and some banks—notably Wells Fargo—offered two-day PCI training programs for merchants. The cost to attend was minimal (sometimes free) and the trainers were the same people who trained QSAs, so each option was a rigorous program. I know because I had the opportunity to attend both.
Neither option is available today. But the PCI Council has stepped into the gap by cloning its QSA training to produce two different programs, both aimed at merchants. And the differences are important.
The PCI Council has offered its PCI Standards Training program for over a year. This two-day session is modeled on the Council’s QSA training. It covers the PCI program, scoping an assessment, the PCI DSS requirements in detail and a fourth part that is not included in QSA training but addresses managing your ongoing compliance program, including some best practices.
Personally, I wish every merchant on the planet would send a couple of people to a Standards Training session. As a QSA, I know any assignment is more productive when the client knows what they need to do to become compliant. Everything goes more smoothly when both parties have an understanding of PCI and the intent of the requirements.
Plus, a trained employee knows her company better than any outsider. As a result, she may be able to assess internal vulnerabilities and risks better than a QSA who is exposed to the merchant’s environment for only a relatively short time.
-Marc
May 13th, 2010 at 9:20 am
As cost effective as this training is, it’s still too expensive for level 4 merchants (both time and money). What would you advise for non-tech savvy level 4 merchants? Do you think the PCI Council will have a webinar option for them to learn the basics?
May 13th, 2010 at 2:09 pm
Thanks for your suggestion, Russell. Having an official PCI Council training webinar is a great idea! I hope the PCI Council trainers can do a PCI 101 course or similar focused on business requirements, but their plate is pretty full right now. Meanwhile, check the Council’s website for recordings of past webinars: https://www.pcisecuritystandards.org/education/webinars.shtml.
MasterCard has its Merchant Education Program (http://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html) with some modules that could be valuable, too.
Webinars are one thing, but you can’t replace face-to-face training and information sharing with your peers. Therefore you should speak to any industry associations you belong to. For example, I do PCI training for one association annually which draws a good crowd, and I have done PCI training for clients, trade groups, and at industry meetings (and I’m sure other QSAs and consultants do, too). You might check and see if that is an option. Lastly, speak with your acquirer or QSA to see what training they might be able to offer.
Personally, I wish trade associations or vendors would step into the breach and provide PCI training (in person and/or webinar) as a value-added service to their members/customers. It would be a cost-effective alternative for small and medium businesses particularly. I know associations have a lot of things going on with legislation and all, but PCI is pretty important to their members.
May 13th, 2010 at 4:25 pm
If I’m a Level 1 merchant, why would I not consider the ISA training? Has Visa changed their rules by stating that level 1 merchants must use a QSA? Looks like the VISA CISP website still states that acquirers can accept ROCs performed internally.
May 13th, 2010 at 7:35 pm
@ return,
Thanks for your comment.
Let’s look at Visa’s website which says: “Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer.” To me, that’s pretty clear. But as you point out, it continues: “Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Attestation of Compliance for Onsite Assessments – Merchants form completed by their assessor to their acquirers.”
A few points here. First, Visa says L1 merchants should engage a QSA to prepare the ROC. That part is pretty clear, and when a company like Visa says “should” it generally means “you will.”
Second, Visa leaves open the option for the L1 merchant’s acquirer to accept a ROC provided an officer of the company sends a letter. I don’t know what such a letter should say (My QSA was out sick today? My QSA and I didn’t agree?), but you still need a ROC prepared by an assessor. Remember, this option is at the discretion of the acquirer; it is not a merchant option.
Personally (yes I’m a QSA and yes I’m likely biased), I think an acquirer would have to have rocks in their head to take on the risk of a major data compromise at an L1 merchant without a QSA assessment. If/when the merchant is breached, the acquirer could have a tough time passing the fine to the merchant if they were the ones who said it was OK to skip the outside assessment. I don’t think too many acquirers are willing to take that risk in this current threat environment. They have everything to lose (as in $millions, and the relationship officer’s job) and nothing to gain. I’d love to hear from an L1 merchant who managed to talk their acquirer into skipping an outside assessment after TJX, et al.
Third, it looks like the merchant still need the AOC to be “completed by their assessor.” It doesn’t say “Qualified Security Assessor”, just “assessor,” so there is some ambiguity, but I believe based on the first sentence Visa’s intent is a QSA.
Therefore, I’d say that the opportunity to self-assess for L1 merchants is pretty limited, and the decision rests with the acquirer and not the merchant. Even so, there is no statement (so far, at least) from Visa that whoever is the internal assessor, she/he needs the ISA credential.
I’m a fan of the Council, and I recommend their training to you. My point is that you should sign up for the course that’s right for you whether or not you get some initials after your name.
May 13th, 2010 at 8:44 pm
I am a merchant service provider for three of the largest acquiers. Our acquiering banks are requiring, that all of our merchants,including the Level four, moms and pops, one man band, “validate” their compliancy. (Self-validation is fine.)
When you refer to certification, are you speaking about the vulnerabitlity scans? Our processors are requiring that any merchant who qualifys to have a scan under the PCI DSS description, present their scan reports for certification.
I agree that it doesn’t have to cost anything for stand alone terminal merchants but the real problem is that merchants and people working in the industry, are still confused as to what they are supposed to do. They are looking at the big picture and not about how it relates directly to their internal space.
May 14th, 2010 at 1:07 pm
@Breina,
Thanks for your comment. The vulnerability scans you mention are part of a merchant’s PCI compliance. Merchants requiring quarterly scanning (i.e., those completing SAQ C and D) must have them done by an ASV. Sometimes the acquirer will want to see the scan summaries, but generally they go with the SAQ which when completed includes the scanning (Requirement 11).
BTW, there is no such thing as “certified” in PCI. A merchant or processor or application can be validated, but nothing is certified. The difference is important. Compliance validation is at a point in time, and a merchant or processor can slip out of compliance with one system change. Certification implies a sort of guarantee that unfortunately doesn’t exist in the PCI world.