Should Retailers Use PCI Training To Enhance—Or Replace—Their QSA?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Details of the PCI Council’s new “Merchant QSA” training program will be finalized in a few months, but it's unclear how retailers will use it. Is a few days’ training enough to qualify your Internal Auditor to lead a PCI compliance assessment? What is the business case for using an Internal Audit instead of a QSA? Could the training—whether for a Level 1 or Level 2 merchant—be used to build on or supplement a QSA? That is, will the Merchant QSA training be most useful to merchants as a valuable accessory or an entirely new PCI wardrobe?

This is the program MasterCard referred to when it announced a new compliance validation process for Level 1 and Level 2 merchants. MasterCard’s new Level 2 merchant PCI Compliance regime made one significant change that affects both Level 2 and Level 1 merchants: The merchant’s own Internal Audit staff is now allowed to conduct the annual PCI assessment. The two requirements are that the provision applies to Internal Audit staff only (no fair using IT audit or anybody else) and that the auditors must be trained by the PCI Council.

With the announcement of the Council’s Merchant QSA (Internal Audit) Program, Level 1 and Level 2 merchants will have to decide how to take advantage of the opportunity. Will merchants use it to replace--or in the case of Level 2 merchants, to avoid hiring--a QSA? Some likely will. Alternatively, will merchants instead use their trained Internal Auditors to leverage the QSA to get greater value (and maybe even continue with some on-the-job PCI training)?

First, let’s look at the business case. The PCI Council’s current merchant training program costs about $1,000, to which you have to add travel costs. It lasts two days. The new Merchant QSA training will need to run at least an additional day, and you can expect it to be priced higher to cover the increased expenses of the longer session and testing (yes, there almost certainly will be a written test). Merchants will have some minor recurring costs for continuing education requirements and/or requalification (QSAs requalify annually)Some merchants will see the benefits as reducing or even eliminating various QSA costs. Merchants need to assess how significant the QSA’s professional fees are in relation to the total cost of a PCI assessment. Often, the infrastructure costs and dedicated internal resources--including the newly trained Auditors--are a large part of the total cost. In addition, merchants still need internal and external penetration tests, the costs of which can be a major part of a QSA engagement. Remember, too, your quarterly external vulnerability scans still need to be conducted by an Approved Scanning Vendor (ASV).

Second, let’s look at the product: the assessment itself. The PCI DSS is complex, and QSAs live in it. QSAs regularly call on their colleagues to review findings, discuss interpretations, seek advice and craft compensating controls. QSA firms have a formal quality assurance process for each document or Report on Compliance (ROC) that goes out. One or even several Internal Auditors with limited exposure to PCI (how many are conversant in encryption key management, firewall rules or certificate authority?) and few colleagues to talk with will lack these advantages.

PCI is about protecting the enterprise. This point brings up an awkward organizational issue: Will Internal Audit be able, politically, to deliver the occasional difficult news that a technical or business process has to be changed? If this ability cannot be guaranteed, the merchant may be validated, but it will not be compliant. And it certainly will not be secure.

A reasonable middle ground is that Level 1 and Level 2 merchants will use the Merchant QSA training to leverage an existing QSA relationship. For example, the document gathering phase of an assessment might be compressed and the onsite visit(s) might be conducted quicker and more effectively. Compensating controls can be drafted internally.

Such an approach can save QSAs time. The Internal Auditor also gets valuable on-the-job PCI training by working closely with an experienced QSA and bouncing ideas around with that person. The QSA has been through the assessment process before and has a lot of experience to share. (Hint: The ability to work with their staff and “teach” PCI may be something merchants should consider when seeking their QSA.)

The question for Level 1 and Level 2 merchants should not be whether to send their staff to the PCI Council’s Merchant QSA training. That is a no-brainer. I hope every merchant sends people to this course, or at least to the current merchant training. It would be great to see those courses so full that the Council has to schedule additional sessions. There is not a QSA on the planet who doesn’t want a knowledgeable, PCI-savvy merchant as a client.

I’d like to hear what you think. Have you sent staff to the current training program? If so, what was their response? Do you plan to send your Internal Auditor(s) to the Council’s training? Either leave a comment or E-mail me at [email protected].