This is page 3 of:
Avoid Paying For PCI Certification You Don’t Need
This brings us to the question of which training is right for your company? If you are a Level 1 retailer (or a Service Provider), stick with the two-day Standards Training. It covers the same material, has the same trainer, costs less and, as long as Visa requires you to hire a QSA to prepare your Report on Compliance (ROC), you don’t get any benefit from the extra money you spend on the ISA Certification. The same recommendation goes for Level 2 merchants who decide to retain a QSA for their assessment and even for Level 3 and 4 merchants who want to understand PCI DSS.
If you are a Level 2 merchant who wants to validate using an SAQ, however, the new ISA Training is for you. I suggest, though, you send a couple of people. PCI DSS is a complicated standard, and your ISA will need someone else with whom to discuss ideas, options and interpretations.
Why would a Level 2 merchant hire a QSA even with the ISA option? I am a QSA so I’m biased, but there are a few things a CIO needs to consider. A QSA offers a more thorough assessment because they live and breathe PCI every day; your ISA has a whopping three days of training and a year between assessments. As an outsider, a QSA can more easily deliver bad news or take a stand that may be organizationally unpopular even though it is in your company’s best interests. That is, the QSA is interested primarily in your compliance, whereas delivering uncomfortable news can be awkward for an ISA who has to consider his career path. A QSA also has broader exposure to a wide range of merchant environments, compensating controls and acquirer negotiations.
Therefore, Level 2 retailers might take a look at a hybrid approach. That is, send one or two qualified staff to the Council’s ISA Training but still retain a QSA to consult with, guide and mentor your ISAs for their first assessment or two. The total costs will be lower than a full-blown QSA assessment, albeit not quite as independent or thorough because you won’t be looking to the QSA to complete a ROC or sign the Attestation of Compliance. Instead, the QSA is a consultant guiding you and your ISAs through the compliance process. As a bonus, you provide a more varied, richer and more visible job experience to your ISAs.
Whichever program you choose, you should make up your mind soon. Both Standards and ISA Training are offered monthly somewhere on the globe, but the sessions fill up fast. The PCI Council’s Web site includes both schedules, although they only go a few months out so making long-range plans can be challenging. I hope the Council will add more trainers and more sessions. Until then demand is likely to outstrip supply.
What do you do for PCI training? Have you looked at the new programs? What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me.
-Marc
May 13th, 2010 at 9:20 am
As cost effective as this training is, it’s still too expensive for level 4 merchants (both time and money). What would you advise for non-tech savvy level 4 merchants? Do you think the PCI Council will have a webinar option for them to learn the basics?
May 13th, 2010 at 2:09 pm
Thanks for your suggestion, Russell. Having an official PCI Council training webinar is a great idea! I hope the PCI Council trainers can do a PCI 101 course or similar focused on business requirements, but their plate is pretty full right now. Meanwhile, check the Council’s website for recordings of past webinars: https://www.pcisecuritystandards.org/education/webinars.shtml.
MasterCard has its Merchant Education Program (http://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html) with some modules that could be valuable, too.
Webinars are one thing, but you can’t replace face-to-face training and information sharing with your peers. Therefore you should speak to any industry associations you belong to. For example, I do PCI training for one association annually which draws a good crowd, and I have done PCI training for clients, trade groups, and at industry meetings (and I’m sure other QSAs and consultants do, too). You might check and see if that is an option. Lastly, speak with your acquirer or QSA to see what training they might be able to offer.
Personally, I wish trade associations or vendors would step into the breach and provide PCI training (in person and/or webinar) as a value-added service to their members/customers. It would be a cost-effective alternative for small and medium businesses particularly. I know associations have a lot of things going on with legislation and all, but PCI is pretty important to their members.
May 13th, 2010 at 4:25 pm
If I’m a Level 1 merchant, why would I not consider the ISA training? Has Visa changed their rules by stating that level 1 merchants must use a QSA? Looks like the VISA CISP website still states that acquirers can accept ROCs performed internally.
May 13th, 2010 at 7:35 pm
@ return,
Thanks for your comment.
Let’s look at Visa’s website which says: “Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer.” To me, that’s pretty clear. But as you point out, it continues: “Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Attestation of Compliance for Onsite Assessments – Merchants form completed by their assessor to their acquirers.”
A few points here. First, Visa says L1 merchants should engage a QSA to prepare the ROC. That part is pretty clear, and when a company like Visa says “should” it generally means “you will.”
Second, Visa leaves open the option for the L1 merchant’s acquirer to accept a ROC provided an officer of the company sends a letter. I don’t know what such a letter should say (My QSA was out sick today? My QSA and I didn’t agree?), but you still need a ROC prepared by an assessor. Remember, this option is at the discretion of the acquirer; it is not a merchant option.
Personally (yes I’m a QSA and yes I’m likely biased), I think an acquirer would have to have rocks in their head to take on the risk of a major data compromise at an L1 merchant without a QSA assessment. If/when the merchant is breached, the acquirer could have a tough time passing the fine to the merchant if they were the ones who said it was OK to skip the outside assessment. I don’t think too many acquirers are willing to take that risk in this current threat environment. They have everything to lose (as in $millions, and the relationship officer’s job) and nothing to gain. I’d love to hear from an L1 merchant who managed to talk their acquirer into skipping an outside assessment after TJX, et al.
Third, it looks like the merchant still need the AOC to be “completed by their assessor.” It doesn’t say “Qualified Security Assessor”, just “assessor,” so there is some ambiguity, but I believe based on the first sentence Visa’s intent is a QSA.
Therefore, I’d say that the opportunity to self-assess for L1 merchants is pretty limited, and the decision rests with the acquirer and not the merchant. Even so, there is no statement (so far, at least) from Visa that whoever is the internal assessor, she/he needs the ISA credential.
I’m a fan of the Council, and I recommend their training to you. My point is that you should sign up for the course that’s right for you whether or not you get some initials after your name.
May 13th, 2010 at 8:44 pm
I am a merchant service provider for three of the largest acquiers. Our acquiering banks are requiring, that all of our merchants,including the Level four, moms and pops, one man band, “validate” their compliancy. (Self-validation is fine.)
When you refer to certification, are you speaking about the vulnerabitlity scans? Our processors are requiring that any merchant who qualifys to have a scan under the PCI DSS description, present their scan reports for certification.
I agree that it doesn’t have to cost anything for stand alone terminal merchants but the real problem is that merchants and people working in the industry, are still confused as to what they are supposed to do. They are looking at the big picture and not about how it relates directly to their internal space.
May 14th, 2010 at 1:07 pm
@Breina,
Thanks for your comment. The vulnerability scans you mention are part of a merchant’s PCI compliance. Merchants requiring quarterly scanning (i.e., those completing SAQ C and D) must have them done by an ASV. Sometimes the acquirer will want to see the scan summaries, but generally they go with the SAQ which when completed includes the scanning (Requirement 11).
BTW, there is no such thing as “certified” in PCI. A merchant or processor or application can be validated, but nothing is certified. The difference is important. Compliance validation is at a point in time, and a merchant or processor can slip out of compliance with one system change. Certification implies a sort of guarantee that unfortunately doesn’t exist in the PCI world.