Awareness & Training

PCI Training Gets High Marks

Internal Security Assessor Program Raises Awareness
PCI Training Gets High Marks
John South, chief information security officer at Heartland Payment Systems, was among the early adopters of the new Internal Security Assessor (ISA) training program launched by the PCI Security Standards Council last August.

Heartland is the payment card processor involved in the high-profile 2009 data breach. South says the three-day training session gave him better insight into the elements of the Payment Card Industry Data Security Standard and how the standard is looked at and applied from a Qualified Security Assessor's perspective.

"It provided a very good foundation to understand what should be in place to secure payments and systems on a daily basis," South says. "It also helped me to understand how the QSA looks at the elements of PCI when they review and access requirements."

For example, if a PCI element says to validate a network map, South previously would have assumed that the QSA scoring would be on the basis that a valid map exists. "However, having gone through the ISA training," South says, "I now understand that the QSA looks for the protection and testing of elements in the same order as shown in the map," South says.

The Need for the ISA Program

The PCI standard was created by the major credit card companies and covers all organizations that accept credit and debit card transactions. The standard specifies several high-level security controls that all companies handling payment card data are required to implement.

Companies -- especially large and medium-sized ones -- are required to submit periodic updates of their PCI compliance and are subject to an annual on-site assessment by a third-party QSA.

The ISA program was introduced to help organizations get up to speed on how to comply with PCI and become more security focused, says Jeremy King, the PCI Council's European director. "It pushes the need for data security beyond card data to all forms of data."

He further adds that people always wanted to know what the QSA is looking for in the annual audits, and the ISA program is largely designed to address the format and conformance that a QSA seeks from merchant companies.

The ISA training program is targeted for internal employees at merchant companies - they can either be a full-time dedicated resource to PCI, or a person wearing many different hats. The idea is to ensure best practices are being implemented to protect systems and data.

Krystal Mattich, a corporate compliance specialist and William Paynter, a senior accounting manager, are both trained in the ISA program and work for an internet service provider with approximately $200 million in annual revenues. For them the program is all about establishing trust and confidence internally within their company.

"People now trust how we do things in a certain way because they can see security being built in our daily activities," Paynter says.

Business Benefits

Cost savings from the ISA program are a huge benefit to organizations, says Ben Rothke, PCI analyst and QSA at BT Global Services. "It is much cheaper to have internal employees comply with PCI than using an external QSA."

Rothke notes that having an ISA helps to hit the ground running, as all the information is in the desired format needed by a QSA, which results in higher efficiency and reduced billable hours by the QSA at the client site.

Also, a second benefit to organizations comes in terms of leveraging internal expertise. "An ISA is really a QSA who is internal and drives PCI compliance for one company, and as such is more likely to understand the environment better than an outsider," Rothke says.

According to Mattich, a big benefit is raising the awareness levels of PCI compliance within the company. "We have had both formal and informal training sessions on PCI, and now everyone understands what PCI is at least on a high level." She also finds the opportunity to network with other merchants in the ISA program a big plus. "I have a tight community with whom I can discuss relevant PCI issues, concerns and derive value," she says.

Program Details

The ISA training consists of a four-hour online pre-requisite course and exam covering PCI fundamentals, followed by an in-depth, two-day (down from the original three), instructor-led course and exam. Successful completion results in ISA qualification and a PCI ISA certificate.

"This is however, not an easy exam to pass," says South. "If you do not have prior knowledge or experience with PCI, it can get overwhelming."

South's one criticism is that the program does not specifically address emerging technologies such as mobile applications and the Europay, MasterCard, Visa standard, which he feels should be incorporated as part of the training curriculum.

So far, the PCI Council has held eight training sessions globally with more than 210 people participating in the ISA program. "We are training organizations to become more security focused and get them away from the check box mentality," King says. "This is a start for setting higher standards in the industry and bringing the focus to true data protection."


About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network