Hi everyone,

One day we received a phone call from our credit cards processing company and suddenly I became the PCI expert for the company.

Is there any actual PCI training you can get anywhere? I don't want to turn myself into a QSA or anything like that, but I feel like I'm guessing my way through some answers and formal education would build my confidence.

The Society of Payment Security Professionals offers two certifications focusing on security in the Payment Card Industry. It covers a variety of topics from the Industry Landscape, to Merchant Risk Analysis, PCI DSS, and other data security and privacy mandates. For more information on the certifications, please visit this page; https://www.paymentsecuritypros.com/certifications/.

The next dates are August 18 -21 in Denver.

Hi everyone,

One day we received a phone call from our credit cards processing company and suddenly I became the PCI expert for the company.

Is there any actual PCI training you can get anywhere? I don't want to turn myself into a QSA or anything like that, but I feel like I'm guessing my way through some answers and formal education would build my confidence.

The PCI Council are now offering an abridged version of the QSA training for interested merchant staff - check the PCI-DSS web site for more information on the content, dates and locations.

However, the most critical knowledge component for performing PCI assessments is a solid grounding in information security (CISSP, CISA CISM or the like) plus a broad and as detailed as possible, background in IP networking, operations, infrastructure architecture & design and application development.

The actual PCI-DSS training (which I took awhile back) is only 3 short days and focusses on how to perform an assessment using the PCI-DSS Security Assessment Procedures. They touched on sampling procedures, examples of documentation to support the RoC and so forth.

Nothing you couldn't glean from reading and following the Procedures. There was no reference to the Self Assessment approach whatsoever, only the on site assessment as performed by a QSA with a resulting Report on Compliance for the merchant.

IMHO, the biggest challenge with PCI-DSS is the interpretation ambiguities, contradictions, and the resulting confusion and chaos that exists with the standard.

Many places in the standard are very prescriptive and in others, completely vague or contains no direction at all.

Incidentally, a QSA must first be a full time employee of a QSA Company, take the requisite training course, pass a simple open book exam and, finally, pay the PCI Council $1000 per year for the priviledge. In other words, you cannot be self employed, work for a merchant, acquirer or service provider and become a QSA. That is no permissimo!!

I was one of the original QSAs and one of two QSA trainers for the PCI SSC. We trained over 2500 QSAs and over 14,000 people when the card brand classes are counted. We no longer train QSAs for the council.

We created the CPISM specifically to address the gaps in education and answer questions like being posed on this forum.

The objective of the CPISM is to teach people how to understand the intent of the requirements as well as specific aspects of the standard and interpretation. In the past 12 months we have had almost half as many CPISM candidates as there are QSAs and the pass rate demonstrates the exam is difficult.

Understanding security is not enough. Understanding the rules is not enough. It is important to understand the intent and how to apply security within a complex industry that has a number of nuances.

We have certified two major QSA firms and many individual QSAs. Last week we finished a training for a major acquirer and their merchants, as well.

Certainly shop for the best training for your needs. If you are interested, take a spin through the CPISM info on the SPSP website.

I'll give admin an endorsement on the CPISM/A material. It was a great class and covered far more about the payment card industry and general compliance management than the PCI SSC class did. In a "perfect world" everyone would take the CPISM class to learn about compliance management, and the PCI SSC class would be 3 or 4 days of how they interpret each standard.

The only training I've taken that kept my attention as well as the CPISM/A class involved getting a parachute to open, but I was highly interested in the final outcome.

I was one of the original QSAs and one of two QSA trainers for the PCI SSC. We trained over 2500 QSAs and over 14,000 people when the card brand classes are counted. We no longer train QSAs for the council.

We created the CPISM specifically to address the gaps in education and answer questions like being posed on this forum.

The objective of the CPISM is to teach people how to understand the intent of the requirements as well as specific aspects of the standard and interpretation. In the past 12 months we have had almost half as many CPISM candidates as there are QSAs and the pass rate demonstrates the exam is difficult.

Understanding security is not enough. Understanding the rules is not enough. It is important to understand the intent and how to apply security within a complex industry that has a number of nuances.

We have certified two major QSA firms and many individual QSAs. Last week we finished a training for a major acquirer and their merchants, as well.

Certainly shop for the best training for your needs. If you are interested, take a spin through the CPISM info on the SPSP website.

The major problem with the PCI standard is that is not a 'standard' at all - it's a constantly shifting and moving target.

While attending training courses are helpful to explain things at a point in time, virtually every month or so some new twist comes along that changes the fundamental rules entirely.

For example, last month MasterCard announced that all Level 2 merchants are no longer allowed to self assess. This potentially impacts 10's of thousands of merchants, most notably costing them $100's of thousands in additional assessment costs. (Gartner reported that the average assessment cost for Level 1 merchants in 2008 was $255K.)

Another exception, VISA Canada require that all self assessments be reviewed by a QSA. Nowhere else in the world is there such a requirement and more importantly, most acquirers in Canada are unaware of the rule. This is like 2 and 2 equals 4 everywhere except in Canada.

IMHO, the really smart merchants decline credit cards and accept only debit and cash.

The standard isn't constant because threats aren't constant.

In theory, if you could get all of bugs and attack points removed out of software and then get all of the researchers and attackers to stop trying to discover new attack vectors, the world would be a better place. As I like to say, in theory, theory works.

However, software is developed and tested by people, reviewed and analyzed by people and people are fallible. Bugs and attack vectors get into software because of that fallibility. And, as a result, attackers discover these new attack vectors and then leverage them.

People looking for a tighter standard are not living in the real world. If the PCI standards were so tightly prescriptive then people would be complaining about the fact that they dictate too much. How would you like a standard that told you exactly what firewalls, routers, OS, RDBMS, etc. to use? No alternatives, no options. Microsoft, Cisco or whomever won out would love it. That would be an easy way out, but that goes against the free market system. The other thing it would do is create a single environment to attack making attacks even easier than they are today. You would likely see the infiltration of the vendors to introduce attack vectors straight into their code.

The reason the standards appear 'loose' is so that people have options on how to approach and solve security problems based on their environment. Not everyone has their data stored in SQL Server or runs Windows. There is something to be said for security by diversity. It's not a 'silver bullet' by any means, but it does add a level of complexity. However, by migrating to XML, HTML, browsers and other platform independent standards, one can argue that we are not doing ourselves any favors by eliminating the little bit of diversity we might have.

The standard isn't constant because threats aren't constant. I suggest, therefore, it is not a standard. Image the effect of the accounting industry changing their rules every month or so. How about the telecommunications industry, the foundation for the Internet - try changing the IP protocols every month.

In theory, if you could get all of bugs and attack points removed out of software and then get all of the researchers and attackers to stop trying to discover new attack vectors, the world would be a better place. As I like to say, in theory, theory works.

However, software is developed and tested by people, reviewed and analyzed by people and people are fallible. Bugs and attack vectors get into software because of that fallibility. And, as a result, attackers discover these new attack vectors and then leverage them.

People looking for a tighter standard are not living in the real world. If the PCI standards were so tightly prescriptive then people would be complaining about the fact that they dictate too much. How would you like a standard that told you exactly what firewalls, routers, OS, RDBMS, etc. to use? No alternatives, no options. Microsoft, Cisco or whomever won out would love it. That would be an easy way out, but that goes against the free market system. The other thing it would do is create a single environment to attack making attacks even easier than they are today. You would likely see the infiltration of the vendors to introduce attack vectors straight into their code.

The reason the standards appear 'loose' is so that people have options on how to approach and solve security problems based on their environment. Not everyone has their data stored in SQL Server or runs Windows. There is something to be said for security by diversity. It's not a 'silver bullet' by any means, but it does add a level of complexity. However, by migrating to XML, HTML, browsers and other platform independent standards, one can argue that we are not doing ourselves any favors by eliminating the little bit of diversity we might have.

The PCI Security Standards Council should be called the PCI Security Guidelines Council since that is what their library of documentation constitutes.

One of the challenges with PCI DSS is that it is outcomes driven - e.g. have controls in place that protects data stored on electronic media (3.4-3.6).

Many technology-centric processes tend to be process/rule driven in some way, either by design, site-specific 'culture', or simply "thats the way its done around here". In an age where

The hard part in PCI DSS is communicating each of the required outcome to IT, operations and business people in a way that relates to their business, commensurate with the evolving threat, then helping them formulate a compliance strategy that focuses on compliance and security outcomes, not "is box 42 checked".
The latter methodology is, in my view, highly reactive, and means significant remediation effort every year to bring technology and business changes back into compliance with the stated outcomes.

Medicine and accounting are 2 other industries where the outcomes remain fairly constant, but the processes to reach the outcomes have and will continue to change.
e.g. accounting rules, stock exchange rules, market conditions and taxation legislation change all the time, particularly if you operate in multiple jurisdictions. Adjusting financial structure occurs all the time as a result.

Medical procedures and treatment techniques change, but the goal/outcome (equal or better lifestyle) hasn't.

Expecting PCI compliance to be a static process is like IT's version of King Canute stemming the waves of technology innovation and change - but he compliance 'shoreline' doesn't change much at all (until a new PCI version comes out anyways).

</philsophical_mode=off>

lyalc

The major problem with the PCI standard is that is not a 'standard' at all - it's a constantly shifting and moving target.

While attending training courses are helpful to explain things at a point in time, virtually every month or so some new twist comes along that changes the fundamental rules entirely.

For example, last month MasterCard announced that all Level 2 merchants are no longer allowed to self assess. This potentially impacts 10's of thousands of merchants, most notably costing them $100's of thousands in additional assessment costs. (Gartner reported that the average assessment cost for Level 1 merchants in 2008 was $255K.)

Another exception, VISA Canada require that all self assessments be reviewed by a QSA. Nowhere else in the world is there such a requirement and more importantly, most acquirers in Canada are unaware of the rule. This is like 2 and 2 equals 4 everywhere except in Canada.

IMHO, the really smart merchants decline credit cards and accept only debit and cash.

It is interesting that you blame the council and dismiss the standard while giving examples of Brands' security program requirements.

The standard is a standard as produced by the PCI-SSC and adopted by the brands as a uniform list of controls and testing procedures for their security programs.

IMHO, declining credit cards to avoid protecting the IT infrastructure has to be dumbest way to do business.

The really smart merchant uses PCI as a spingboard for other security issues and to improve the overall business security.