advertisement
advertisement

This is page 3 of:

Avoid Paying For PCI Certification You Don’t Need

May 12th, 2010

This brings us to the question of which training is right for your company? If you are a Level 1 retailer (or a Service Provider), stick with the two-day Standards Training. It covers the same material, has the same trainer, costs less and, as long as Visa requires you to hire a QSA to prepare your Report on Compliance (ROC), you don’t get any benefit from the extra money you spend on the ISA Certification. The same recommendation goes for Level 2 merchants who decide to retain a QSA for their assessment and even for Level 3 and 4 merchants who want to understand PCI DSS.

If you are a Level 2 merchant who wants to validate using an SAQ, however, the new ISA Training is for you. I suggest, though, you send a couple of people. PCI DSS is a complicated standard, and your ISA will need someone else with whom to discuss ideas, options and interpretations.

Why would a Level 2 merchant hire a QSA even with the ISA option? I am a QSA so I’m biased, but there are a few things a CIO needs to consider. A QSA offers a more thorough assessment because they live and breathe PCI every day; your ISA has a whopping three days of training and a year between assessments. As an outsider, a QSA can more easily deliver bad news or take a stand that may be organizationally unpopular even though it is in your company’s best interests. That is, the QSA is interested primarily in your compliance, whereas delivering uncomfortable news can be awkward for an ISA who has to consider his career path. A QSA also has broader exposure to a wide range of merchant environments, compensating controls and acquirer negotiations.

Therefore, Level 2 retailers might take a look at a hybrid approach. That is, send one or two qualified staff to the Council’s ISA Training but still retain a QSA to consult with, guide and mentor your ISAs for their first assessment or two. The total costs will be lower than a full-blown QSA assessment, albeit not quite as independent or thorough because you won’t be looking to the QSA to complete a ROC or sign the Attestation of Compliance. Instead, the QSA is a consultant guiding you and your ISAs through the compliance process. As a bonus, you provide a more varied, richer and more visible job experience to your ISAs.

Whichever program you choose, you should make up your mind soon. Both Standards and ISA Training are offered monthly somewhere on the globe, but the sessions fill up fast. The PCI Council’s Web site includes both schedules, although they only go a few months out so making long-range plans can be challenging. I hope the Council will add more trainers and more sessions. Until then demand is likely to outstrip supply.

What do you do for PCI training? Have you looked at the new programs? What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me.


advertisement

6 Comments | Read Avoid Paying For PCI Certification You Don’t Need

  1. Russell Brown Says:

    As cost effective as this training is, it’s still too expensive for level 4 merchants (both time and money). What would you advise for non-tech savvy level 4 merchants? Do you think the PCI Council will have a webinar option for them to learn the basics?

  2. Walt Conway Says:

    Thanks for your suggestion, Russell. Having an official PCI Council training webinar is a great idea! I hope the PCI Council trainers can do a PCI 101 course or similar focused on business requirements, but their plate is pretty full right now. Meanwhile, check the Council’s website for recordings of past webinars: https://www.pcisecuritystandards.org/education/webinars.shtml.

    MasterCard has its Merchant Education Program (http://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html) with some modules that could be valuable, too.

    Webinars are one thing, but you can’t replace face-to-face training and information sharing with your peers. Therefore you should speak to any industry associations you belong to. For example, I do PCI training for one association annually which draws a good crowd, and I have done PCI training for clients, trade groups, and at industry meetings (and I’m sure other QSAs and consultants do, too). You might check and see if that is an option. Lastly, speak with your acquirer or QSA to see what training they might be able to offer.

    Personally, I wish trade associations or vendors would step into the breach and provide PCI training (in person and/or webinar) as a value-added service to their members/customers. It would be a cost-effective alternative for small and medium businesses particularly. I know associations have a lot of things going on with legislation and all, but PCI is pretty important to their members.

  3. return Says:

    If I’m a Level 1 merchant, why would I not consider the ISA training? Has Visa changed their rules by stating that level 1 merchants must use a QSA? Looks like the VISA CISP website still states that acquirers can accept ROCs performed internally.

  4. Walt Conway Says:

    @ return,

    Thanks for your comment.

    Let’s look at Visa’s website which says: “Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer.” To me, that’s pretty clear. But as you point out, it continues: “Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Attestation of Compliance for Onsite Assessments – Merchants form completed by their assessor to their acquirers.”

    A few points here. First, Visa says L1 merchants should engage a QSA to prepare the ROC. That part is pretty clear, and when a company like Visa says “should” it generally means “you will.”

    Second, Visa leaves open the option for the L1 merchant’s acquirer to accept a ROC provided an officer of the company sends a letter. I don’t know what such a letter should say (My QSA was out sick today? My QSA and I didn’t agree?), but you still need a ROC prepared by an assessor. Remember, this option is at the discretion of the acquirer; it is not a merchant option.

    Personally (yes I’m a QSA and yes I’m likely biased), I think an acquirer would have to have rocks in their head to take on the risk of a major data compromise at an L1 merchant without a QSA assessment. If/when the merchant is breached, the acquirer could have a tough time passing the fine to the merchant if they were the ones who said it was OK to skip the outside assessment. I don’t think too many acquirers are willing to take that risk in this current threat environment. They have everything to lose (as in $millions, and the relationship officer’s job) and nothing to gain. I’d love to hear from an L1 merchant who managed to talk their acquirer into skipping an outside assessment after TJX, et al.

    Third, it looks like the merchant still need the AOC to be “completed by their assessor.” It doesn’t say “Qualified Security Assessor”, just “assessor,” so there is some ambiguity, but I believe based on the first sentence Visa’s intent is a QSA.

    Therefore, I’d say that the opportunity to self-assess for L1 merchants is pretty limited, and the decision rests with the acquirer and not the merchant. Even so, there is no statement (so far, at least) from Visa that whoever is the internal assessor, she/he needs the ISA credential.

    I’m a fan of the Council, and I recommend their training to you. My point is that you should sign up for the course that’s right for you whether or not you get some initials after your name.

  5. Breina Montalvo Says:

    I am a merchant service provider for three of the largest acquiers. Our acquiering banks are requiring, that all of our merchants,including the Level four, moms and pops, one man band, “validate” their compliancy. (Self-validation is fine.)

    When you refer to certification, are you speaking about the vulnerabitlity scans? Our processors are requiring that any merchant who qualifys to have a scan under the PCI DSS description, present their scan reports for certification.

    I agree that it doesn’t have to cost anything for stand alone terminal merchants but the real problem is that merchants and people working in the industry, are still confused as to what they are supposed to do. They are looking at the big picture and not about how it relates directly to their internal space.

  6. Walt Conway Says:

    @Breina,

    Thanks for your comment. The vulnerability scans you mention are part of a merchant’s PCI compliance. Merchants requiring quarterly scanning (i.e., those completing SAQ C and D) must have them done by an ASV. Sometimes the acquirer will want to see the scan summaries, but generally they go with the SAQ which when completed includes the scanning (Requirement 11).

    BTW, there is no such thing as “certified” in PCI. A merchant or processor or application can be validated, but nothing is certified. The difference is important. Compliance validation is at a point in time, and a merchant or processor can slip out of compliance with one system change. Certification implies a sort of guarantee that unfortunately doesn’t exist in the PCI world.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.