Should Retailers Use PCI Training To Enhance—Or Replace—Their QSA?
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Details of the PCI Council’s new “Merchant QSA” training program will be finalized in a few months, but it’s unclear how retailers will use it. Is a few days’ training enough to qualify your Internal Auditor to lead a PCI compliance assessment? What is the business case for using an Internal Audit instead of a QSA? Could the training—whether for a Level 1 or Level 2 merchant—be used to build on or supplement a QSA? That is, will the Merchant QSA training be most useful to merchants as a valuable accessory or an entirely new PCI wardrobe?
This is the program MasterCard referred to when it announced a new compliance validation process for Level 1 and Level 2 merchants. MasterCard’s new Level 2 merchant PCI Compliance regime made one significant change that affects both Level 2 and Level 1 merchants: The merchant’s own Internal Audit staff is now allowed to conduct the annual PCI assessment. The two requirements are that the provision applies to Internal Audit staff only (no fair using IT audit or anybody else) and that the auditors must be trained by the PCI Council.
With the announcement of the Council’s Merchant QSA (Internal Audit) Program, Level 1 and Level 2 merchants will have to decide how to take advantage of the opportunity. Will merchants use it to replace–or in the case of Level 2 merchants, to avoid hiring–a QSA? Some likely will. Alternatively, will merchants instead use their trained Internal Auditors to leverage the QSA to get greater value (and maybe even continue with some on-the-job PCI training)?
First, let’s look at the business case. The PCI Council’s current merchant training program costs about $1,000, to which you have to add travel costs. It lasts two days. The new Merchant QSA training will need to run at least an additional day, and you can expect it to be priced higher to cover the increased expenses of the longer session and testing (yes, there almost certainly will be a written test). Merchants will have some minor recurring costs for continuing education requirements and/or requalification (QSAs requalify annually)
-Marc
March 2nd, 2010 at 9:15 pm
This not only undermines PCI but just undermines the benefit of a 3rd party. On a cost basis, it’s probably a no-brainer. Realistically, if you want PCI to work, you can’t have the person managing the books and writing the checks. They’re going to do what’s in the best interest of the bottom line.
Just look at things as simple as using CVV for online transactions. It’s in the best interest of every for fraud prevention. It’s free and easy to use. Most big retailers don’t use it because the losses incurred when requiring cvv outweigh their losses from fraud.
March 4th, 2010 at 3:53 pm
I think this arrangement represents a balanced compromise. The goal was to increase the overall quality of merchant assessments, specifially self-assessments. Originally that was to be accomplished by expanding the QSA franchise. This solution allows merchants to continue self assessing, while mandating a measurable and demonstrable understanding of PCI DSS by the self-assessor through examination. It also keeps the QSA firms sharp by forcing them to deliver value above and beyond the internal assessor to EARN merchant business, as opposed to having it handed to them.