Avoid Paying For PCI Certification You Don't Need

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Retailers these days have far fewer PCI training options open to them. About the only game in town anymore for detailed PCI standards training is the PCI Council itself. But be sure to choose your program carefully. Unless you are an L2 merchant who plans to self-assess, you could find yourself overpaying for a certification that you don't need.

With its most recent announcement, the PCI Council is now offering merchant training in two flavors: PCI Standards Training, which is open to every merchant, and the new PCI Internal Security Assessor (ISA) Training, which is aimed at Level 2 merchants who want to continue using a Self-Assessment Questionnaire (SAQ). The two questions for retail CIOs are:

  • Which program is right for your organization?
  • How do you maximize the return on your training investment?

If you are looking for PCI training, then what better source could there be than the PCI Council itself? In the past, Visa and some banks—notably Wells Fargo—offered two-day PCI training programs for merchants. The cost to attend was minimal (sometimes free) and the trainers were the same people who trained QSAs, so each option was a rigorous program. I know because I had the opportunity to attend both.

Neither option is available today. But the PCI Council has stepped into the gap by cloning its QSA training to produce two different programs, both aimed at merchants. And the differences are important.

The PCI Council has offered its PCI Standards Training program for over a year. This two-day session is modeled on the Council's QSA training. It covers the PCI program, scoping an assessment, the PCI DSS requirements in detail and a fourth part that is not included in QSA training but addresses managing your ongoing compliance program, including some best practices.

Personally, I wish every merchant on the planet would send a couple of people to a Standards Training session. As a QSA, I know any assignment is more productive when the client knows what they need to do to become compliant. Everything goes more smoothly when both parties have an understanding of PCI and the intent of the requirements.

Plus, a trained employee knows her company better than any outsider. As a result, she may be able to assess internal vulnerabilities and risks better than a QSA who is exposed to the merchant's environment for only a relatively short time.This Standards Training costs $995 with a 10 percent discount for Participating Organizations. When you throw in the hotel, meals and travel, you can count on spending about $2,000 for each person you send. If the training investment saves you only a day or so of QSA time, it still pays for itself almost immediately. To me, therefore, it's a no-brainer.

The Council recently announced its ISA Training, which is designed to help Level 2 merchants meet the new MasterCard compliance validation requirements. In case you missed the news, effective June 2011 Level 2 merchants can continue to self-assess only if their SAQ is prepared by internal staff who have successfully completed this ISA program. Because the alternative is to hire a QSA to perform an independent assessment, many Level 2 merchants have been anxiously awaiting the details on this program.

If you are a Level 2 merchant and you want to continue using an SAQ, your first step is to become an ISA Sponsor Company. This step mostly involves completing a form and sending it to the PCI Council. There are a few requirements, though: ISA Training is only for merchants and processors; you have to have an internal audit department; and you cannot be affiliated with a QSA or ASV company in any way. That is, ISA Training and certification is for merchants, not consultants.

Once ISA Sponsor Company status is achieved, that company nominates individual full-time employees, who are designated as Internal Security Assessors, to attend ISA Training. The guidelines for who can attend include those employees with at least five years' experience in addition to a CISSP, CISA or CISM certification or equivalent work experience. In other words, attendees should already have significant security audit experience and technical expertise.

ISA Training costs $2,495 per attendee. (Will someone please tell me why it could not have just made it $2,500?) It lasts three days and includes a written test. If you are a Participating Organization (PO), you get a $1,000 discount, paying $1,495--a pretty good return on your annual membership fee and yet another reason why you should be a PO. Like QSAs, ISAs require annual recertification training and testing, at a cost of an additional $995 per ISA per year. (As far as I can tell, there is no charge to become an ISA Sponsor Company.) Add in travel charges, and the up-front cost comes to about $4,000 per person ($3,000 for a PO), or double the cost of Standards Training.This brings us to the question of which training is right for your company? If you are a Level 1 retailer (or a Service Provider), stick with the two-day Standards Training. It covers the same material, has the same trainer, costs less and, as long as Visa requires you to hire a QSA to prepare your Report on Compliance (ROC), you don't get any benefit from the extra money you spend on the ISA Certification. The same recommendation goes for Level 2 merchants who decide to retain a QSA for their assessment and even for Level 3 and 4 merchants who want to understand PCI DSS.

If you are a Level 2 merchant who wants to validate using an SAQ, however, the new ISA Training is for you. I suggest, though, you send a couple of people. PCI DSS is a complicated standard, and your ISA will need someone else with whom to discuss ideas, options and interpretations.

Why would a Level 2 merchant hire a QSA even with the ISA option? I am a QSA so I'm biased, but there are a few things a CIO needs to consider. A QSA offers a more thorough assessment because they live and breathe PCI every day; your ISA has a whopping three days of training and a year between assessments. As an outsider, a QSA can more easily deliver bad news or take a stand that may be organizationally unpopular even though it is in your company's best interests. That is, the QSA is interested primarily in your compliance, whereas delivering uncomfortable news can be awkward for an ISA who has to consider his career path. A QSA also has broader exposure to a wide range of merchant environments, compensating controls and acquirer negotiations.

Therefore, Level 2 retailers might take a look at a hybrid approach. That is, send one or two qualified staff to the Council's ISA Training but still retain a QSA to consult with, guide and mentor your ISAs for their first assessment or two. The total costs will be lower than a full-blown QSA assessment, albeit not quite as independent or thorough because you won't be looking to the QSA to complete a ROC or sign the Attestation of Compliance. Instead, the QSA is a consultant guiding you and your ISAs through the compliance process. As a bonus, you provide a more varied, richer and more visible job experience to your ISAs.

Whichever program you choose, you should make up your mind soon. Both Standards and ISA Training are offered monthly somewhere on the globe, but the sessions fill up fast. The PCI Council's Web site includes both schedules, although they only go a few months out so making long-range plans can be challenging. I hope the Council will add more trainers and more sessions. Until then demand is likely to outstrip supply.

What do you do for PCI training? Have you looked at the new programs? What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me.