Avoid Paying For PCI Certification You Don’t Need

Written by Walter Conway
May 12th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Retailers these days have far fewer PCI training options open to them. About the only game in town anymore for detailed PCI standards training is the PCI Council itself. But be sure to choose your program carefully. Unless you are an L2 merchant who plans to self-assess, you could find yourself overpaying for a certification that you don’t need.

With its most recent announcement, the PCI Council is now offering merchant training in two flavors: PCI Standards Training, which is open to every merchant, and the new PCI Internal Security Assessor (ISA) Training, which is aimed at Level 2 merchants who want to continue using a Self-Assessment Questionnaire (SAQ). The two questions for retail CIOs are:

  • Which program is right for your organization?
  • How do you maximize the return on your training investment?

If you are looking for PCI training, then what better source could there be than the PCI Council itself? In the past, Visa and some banks—notably Wells Fargo—offered two-day PCI training programs for merchants. The cost to attend was minimal (sometimes free) and the trainers were the same people who trained QSAs, so each option was a rigorous program. I know because I had the opportunity to attend both.

Neither option is available today. But the PCI Council has stepped into the gap by cloning its QSA training to produce two different programs, both aimed at merchants. And the differences are important.

The PCI Council has offered its PCI Standards Training program for over a year. This two-day session is modeled on the Council’s QSA training. It covers the PCI program, scoping an assessment, the PCI DSS requirements in detail and a fourth part that is not included in QSA training but addresses managing your ongoing compliance program, including some best practices.

Personally, I wish every merchant on the planet would send a couple of people to a Standards Training session. As a QSA, I know any assignment is more productive when the client knows what they need to do to become compliant. Everything goes more smoothly when both parties have an understanding of PCI and the intent of the requirements.

Plus, a trained employee knows her company better than any outsider. As a result, she may be able to assess internal vulnerabilities and risks better than a QSA who is exposed to the merchant’s environment for only a relatively short time.


6 Comments | Read Avoid Paying For PCI Certification You Don’t Need

  1. Russell Brown Says:

    As cost effective as this training is, it’s still too expensive for level 4 merchants (both time and money). What would you advise for non-tech savvy level 4 merchants? Do you think the PCI Council will have a webinar option for them to learn the basics?

  2. Walt Conway Says:

    Thanks for your suggestion, Russell. Having an official PCI Council training webinar is a great idea! I hope the PCI Council trainers can do a PCI 101 course or similar focused on business requirements, but their plate is pretty full right now. Meanwhile, check the Council’s website for recordings of past webinars:

    MasterCard has its Merchant Education Program ( with some modules that could be valuable, too.

    Webinars are one thing, but you can’t replace face-to-face training and information sharing with your peers. Therefore you should speak to any industry associations you belong to. For example, I do PCI training for one association annually which draws a good crowd, and I have done PCI training for clients, trade groups, and at industry meetings (and I’m sure other QSAs and consultants do, too). You might check and see if that is an option. Lastly, speak with your acquirer or QSA to see what training they might be able to offer.

    Personally, I wish trade associations or vendors would step into the breach and provide PCI training (in person and/or webinar) as a value-added service to their members/customers. It would be a cost-effective alternative for small and medium businesses particularly. I know associations have a lot of things going on with legislation and all, but PCI is pretty important to their members.

  3. return Says:

    If I’m a Level 1 merchant, why would I not consider the ISA training? Has Visa changed their rules by stating that level 1 merchants must use a QSA? Looks like the VISA CISP website still states that acquirers can accept ROCs performed internally.

  4. Walt Conway Says:

    @ return,

    Thanks for your comment.

    Let’s look at Visa’s website which says: “Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer.” To me, that’s pretty clear. But as you point out, it continues: “Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Attestation of Compliance for Onsite Assessments – Merchants form completed by their assessor to their acquirers.”

    A few points here. First, Visa says L1 merchants should engage a QSA to prepare the ROC. That part is pretty clear, and when a company like Visa says “should” it generally means “you will.”

    Second, Visa leaves open the option for the L1 merchant’s acquirer to accept a ROC provided an officer of the company sends a letter. I don’t know what such a letter should say (My QSA was out sick today? My QSA and I didn’t agree?), but you still need a ROC prepared by an assessor. Remember, this option is at the discretion of the acquirer; it is not a merchant option.

    Personally (yes I’m a QSA and yes I’m likely biased), I think an acquirer would have to have rocks in their head to take on the risk of a major data compromise at an L1 merchant without a QSA assessment. If/when the merchant is breached, the acquirer could have a tough time passing the fine to the merchant if they were the ones who said it was OK to skip the outside assessment. I don’t think too many acquirers are willing to take that risk in this current threat environment. They have everything to lose (as in $millions, and the relationship officer’s job) and nothing to gain. I’d love to hear from an L1 merchant who managed to talk their acquirer into skipping an outside assessment after TJX, et al.

    Third, it looks like the merchant still need the AOC to be “completed by their assessor.” It doesn’t say “Qualified Security Assessor”, just “assessor,” so there is some ambiguity, but I believe based on the first sentence Visa’s intent is a QSA.

    Therefore, I’d say that the opportunity to self-assess for L1 merchants is pretty limited, and the decision rests with the acquirer and not the merchant. Even so, there is no statement (so far, at least) from Visa that whoever is the internal assessor, she/he needs the ISA credential.

    I’m a fan of the Council, and I recommend their training to you. My point is that you should sign up for the course that’s right for you whether or not you get some initials after your name.

  5. Breina Montalvo Says:

    I am a merchant service provider for three of the largest acquiers. Our acquiering banks are requiring, that all of our merchants,including the Level four, moms and pops, one man band, “validate” their compliancy. (Self-validation is fine.)

    When you refer to certification, are you speaking about the vulnerabitlity scans? Our processors are requiring that any merchant who qualifys to have a scan under the PCI DSS description, present their scan reports for certification.

    I agree that it doesn’t have to cost anything for stand alone terminal merchants but the real problem is that merchants and people working in the industry, are still confused as to what they are supposed to do. They are looking at the big picture and not about how it relates directly to their internal space.

  6. Walt Conway Says:


    Thanks for your comment. The vulnerability scans you mention are part of a merchant’s PCI compliance. Merchants requiring quarterly scanning (i.e., those completing SAQ C and D) must have them done by an ASV. Sometimes the acquirer will want to see the scan summaries, but generally they go with the SAQ which when completed includes the scanning (Requirement 11).

    BTW, there is no such thing as “certified” in PCI. A merchant or processor or application can be validated, but nothing is certified. The difference is important. Compliance validation is at a point in time, and a merchant or processor can slip out of compliance with one system change. Certification implies a sort of guarantee that unfortunately doesn’t exist in the PCI world.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.