New PCI CertificationProgram Aims to Educate, Certify More Payments Players
A new certification program from the PCI Security Standards Council is focused on training and educating people, rather than organizations, about payment card data security.
Employees and even individuals not affiliated with a banking institution, merchant or other payments organization are welcome to enroll, Russo adds.
"It provides a foundation credential for those who are newer to the industry, to help them build their expertise, while those with more experience can also benefit from this credential," he says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
Individuals who are certified under the PCIP will have their names posted on the PCI Council's website, offering an easy way for organizations access to a list of potential hires who have the credential, Russo says. The qualification is also transferable and not linked to a specific employer.
"We see this as a win-win for everyone," Russo says. "Through this program we help to build a really good baseline of PCI knowledge across the industry."
During this interview, Russo discusses:
- How the PCIP program works and how to enroll;
- Steps the PCI Council is taking to expand PCI knowledge globally;
- Additional information that is being reviewed and discussed with international payments networks.
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.
PCIP: PCI Professional Program
TRACY KITTEN: The council announced the creation of this new PCI certification program which is designed for individuals rather than companies. This program is a little bit different because it's not affiliated with a particular organization. What makes this certification different and how does this program help to fill a void or a niche?
BOB RUSSO: Over the last few years, what we've heard from the market was a request for additional training options to help them better equip their employees and prepare for ongoing PCI assessments that they may get. Now of course, we have our internal security assessor, our ISA program for example, and that's been really successful in helping to keep an organization secure between the periods of the routine QSA assessments that they've got because their people are trained on PCI internally.
However, that certification, while achieved by an individual as you said initially, is tied to the organization that they work for and not accessible to more entry-level kinds of professionals. So with that in mind, the PCIP accreditation stays with the individual and regardless of where they go it's with them and not with the employer.
It provides a foundation credential for those who are newer to the industry to help them build their expertise, while those with more experience can also benefit from this credential as well and take the exam only if they've got enough information under their belt. It's also important to point out that the PCI Internal Assessor program and the PCI QSA program have an industry-recognized level of expertise in PCI standards, and this can certainly add that PCIP credential by registering those people with the SSC as well.
They will be grandfathered into this program and have that certification. Banks, merchants and other organizations could take advantage of this new program, this new PCIP program to build PCI expertise internally, as well as leverage this global PCIP listing on the website when they're looking to hire professionals they can go to our website and see who actually has this credential. We see this as a win-win for everyone. Through this program we help to build a really good baseline of PCI knowledge across the industry.
Qualifying to Participate
KITTEN: I wanted to ask about who was qualified to participate in this program and you've answered that question. It sounds like this is more for individuals who might just be entering the marketplace.
RUSSO: The PCIP training program is basically a direct response that we got from the industry to come up with a recognized certification that demonstrates what their specialized knowledge is and specifically their understanding of the PCI standards and what it means in the payment industry. Again, this is a transferable qualification so it's not linked to a specific employer. You can take it with you.
KITTEN: Now I know that the program is going to be discussed next week during the bi-annual community meeting, but where can individuals or interested candidates get more information about this program in the meantime?
RUSSO: All of this information is available at our website, www.pcisecuritystandards.org, and there's a full training section where we provide additional details and resources on the full spectrum of training offerings from PCIP all the way to basic PCI awareness training. Even if you've visited the site before, you should really check it out on a regular basis as we add all kinds of new training programs and specifically training dates that are out in the future. Those people that are interested in PCIP can review the program guide and the qualification requirements there and then fill out the online form and begin the application process.
Tips for IT and Payments Security Pros
KITTEN: Before we close, what additional points would you like to make about the upcoming meeting and/or the new certification program generally?
RUSSO: If you're an IT or a payments security professional, we hope that you'll certainly check this program out. If you're in a financial institution, this credential will be a great way to train your people to support your payments security efforts, but also an excellent tool that you can use to help hire qualified professionals, as I said earlier.
We will have a complete directory on our website of all of the people who have been trained and have been qualified and passed the test. The most important tool in your arsenal to protect against these data breaches involving payment card data is always education and knowledge. We get one more step in that direction, and how we do this as an industry and the development of these programs and our standards really depends on the involvement of the payments community. It's really the focus of the PCI community meetings that we have coming up. This training program, a recently released QIR, or Qualified Integrators and Resellers program, all the latest updates on how technology areas like mobile and point-to-point encryption, as well as insight to the BSI standards coming out in 2013, are all going to be key topics at next week's community meeting in Orlando and then again in October at the European meeting in Dublin.