StorefrontBacktalk

This is page 2 of:

Avoid Paying For PCI Certification You Don’t Need

May 12th, 2010

This Standards Training costs $995 with a 10 percent discount for Participating Organizations. When you throw in the hotel, meals and travel, you can count on spending about $2,000 for each person you send. If the training investment saves you only a day or so of QSA time, it still pays for itself almost immediately. To me, therefore, it’s a no-brainer.

The Council recently announced its ISA Training, which is designed to help Level 2 merchants meet the new MasterCard compliance validation requirements. In case you missed the news, effective June 2011 Level 2 merchants can continue to self-assess only if their SAQ is prepared by internal staff who have successfully completed this ISA program. Because the alternative is to hire a QSA to perform an independent assessment, many Level 2 merchants have been anxiously awaiting the details on this program.

If you are a Level 2 merchant and you want to continue using an SAQ, your first step is to become an ISA Sponsor Company. This step mostly involves completing a form and sending it to the PCI Council. There are a few requirements, though: ISA Training is only for merchants and processors; you have to have an internal audit department; and you cannot be affiliated with a QSA or ASV company in any way. That is, ISA Training and certification is for merchants, not consultants.

Once ISA Sponsor Company status is achieved, that company nominates individual full-time employees, who are designated as Internal Security Assessors, to attend ISA Training. The guidelines for who can attend include those employees with at least five years’ experience in addition to a CISSP, CISA or CISM certification or equivalent work experience. In other words, attendees should already have significant security audit experience and technical expertise.

ISA Training costs $2,495 per attendee. (Will someone please tell me why it could not have just made it $2,500?) It lasts three days and includes a written test. If you are a Participating Organization (PO), you get a $1,000 discount, paying $1,495–a pretty good return on your annual membership fee and yet another reason why you should be a PO. Like QSAs, ISAs require annual recertification training and testing, at a cost of an additional $995 per ISA per year. (As far as I can tell, there is no charge to become an ISA Sponsor Company.) Add in travel charges, and the up-front cost comes to about $4,000 per person ($3,000 for a PO), or double the cost of Standards Training.

Posted in E-Commerce, In-Store, IT Strategy/Industry, Payment Systems, Security/Fraud

6 Comments | Read Avoid Paying For PCI Certification You Don’t Need

Russell Brown Says:
May 13th, 2010 at 9:20 am
As cost effective as this training is, it’s still too expensive for level 4 merchants (both time and money). What would you advise for non-tech savvy level 4 merchants? Do you think the PCI Council will have a webinar option for them to learn the basics?
Walt Conway Says:
May 13th, 2010 at 2:09 pm
Thanks for your suggestion, Russell. Having an official PCI Council training webinar is a great idea! I hope the PCI Council trainers can do a PCI 101 course or similar focused on business requirements, but their plate is pretty full right now. Meanwhile, check the Council’s website for recordings of past webinars: https://www.pcisecuritystandards.org/education/webinars.shtml.

MasterCard has its Merchant Education Program (http://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html) with some modules that could be valuable, too.

Webinars are one thing, but you can’t replace face-to-face training and information sharing with your peers. Therefore you should speak to any industry associations you belong to. For example, I do PCI training for one association annually which draws a good crowd, and I have done PCI training for clients, trade groups, and at industry meetings (and I’m sure other QSAs and consultants do, too). You might check and see if that is an option. Lastly, speak with your acquirer or QSA to see what training they might be able to offer.

Personally, I wish trade associations or vendors would step into the breach and provide PCI training (in person and/or webinar) as a value-added service to their members/customers. It would be a cost-effective alternative for small and medium businesses particularly. I know associations have a lot of things going on with legislation and all, but PCI is pretty important to their members.
return Says:
May 13th, 2010 at 4:25 pm
If I’m a Level 1 merchant, why would I not consider the ISA training? Has Visa changed their rules by stating that level 1 merchants must use a QSA? Looks like the VISA CISP website still states that acquirers can accept ROCs performed internally.
Walt Conway Says:
May 13th, 2010 at 7:35 pm
@ return,

Thanks for your comment.

Let’s look at Visa’s website which says: “Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer.” To me, that’s pretty clear. But as you point out, it continues: “Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Attestation of Compliance for Onsite Assessments – Merchants form completed by their assessor to their acquirers.”

A few points here. First, Visa says L1 merchants should engage a QSA to prepare the ROC. That part is pretty clear, and when a company like Visa says “should” it generally means “you will.”

Second, Visa leaves open the option for the L1 merchant’s acquirer to accept a ROC provided an officer of the company sends a letter. I don’t know what such a letter should say (My QSA was out sick today? My QSA and I didn’t agree?), but you still need a ROC prepared by an assessor. Remember, this option is at the discretion of the acquirer; it is not a merchant option.

Personally (yes I’m a QSA and yes I’m likely biased), I think an acquirer would have to have rocks in their head to take on the risk of a major data compromise at an L1 merchant without a QSA assessment. If/when the merchant is breached, the acquirer could have a tough time passing the fine to the merchant if they were the ones who said it was OK to skip the outside assessment. I don’t think too many acquirers are willing to take that risk in this current threat environment. They have everything to lose (as in $millions, and the relationship officer’s job) and nothing to gain. I’d love to hear from an L1 merchant who managed to talk their acquirer into skipping an outside assessment after TJX, et al.

Third, it looks like the merchant still need the AOC to be “completed by their assessor.” It doesn’t say “Qualified Security Assessor”, just “assessor,” so there is some ambiguity, but I believe based on the first sentence Visa’s intent is a QSA.

Therefore, I’d say that the opportunity to self-assess for L1 merchants is pretty limited, and the decision rests with the acquirer and not the merchant. Even so, there is no statement (so far, at least) from Visa that whoever is the internal assessor, she/he needs the ISA credential.

I’m a fan of the Council, and I recommend their training to you. My point is that you should sign up for the course that’s right for you whether or not you get some initials after your name.
Breina Montalvo Says:
May 13th, 2010 at 8:44 pm
I am a merchant service provider for three of the largest acquiers. Our acquiering banks are requiring, that all of our merchants,including the Level four, moms and pops, one man band, “validate” their compliancy. (Self-validation is fine.)

When you refer to certification, are you speaking about the vulnerabitlity scans? Our processors are requiring that any merchant who qualifys to have a scan under the PCI DSS description, present their scan reports for certification.

I agree that it doesn’t have to cost anything for stand alone terminal merchants but the real problem is that merchants and people working in the industry, are still confused as to what they are supposed to do. They are looking at the big picture and not about how it relates directly to their internal space.
Walt Conway Says:
May 14th, 2010 at 1:07 pm
@Breina,

Thanks for your comment. The vulnerability scans you mention are part of a merchant’s PCI compliance. Merchants requiring quarterly scanning (i.e., those completing SAQ C and D) must have them done by an ASV. Sometimes the acquirer will want to see the scan summaries, but generally they go with the SAQ which when completed includes the scanning (Requirement 11).

BTW, there is no such thing as “certified” in PCI. A merchant or processor or application can be validated, but nothing is certified. The difference is important. Compliance validation is at a point in time, and a merchant or processor can slip out of compliance with one system change. Certification implies a sort of guarantee that unfortunately doesn’t exist in the PCI world.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.