GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Capital flow in acquiring

News

Industry Update

PCI SSC steps up data security education

MasterCard on target with first quarter gains

Money and tech conference focused on mobile

Features

Research Rundown

Selling Prepaid

Prepaid in brief

Gift card regs unraveled

The debate over rebates

Views

Deregulation, regulation and you

Patti Murphy
The Takoma Group

Payments 2010: The revolution has arrived

Brandes Elitch
CrossCheck Inc.

Stemming the attrition tide

Biff Matthews
CardWare International

Education

Street SmartsSM:
High risk, high reward

Ken Musante
Eureka Payments LLC

Outsourcing customer support? Think again

Nicholas Cucci
Network Merchants Inc.

Residual protection at 'portability moments'

Adam Atlas
Attorney at Law

Succeeding at PCI compliance - Part 1:
Planning the initial rollout

Dawn M. Martinez
First Data Corp.

Always be opening

Dale S. Laszig
Castles Technology Co. Ltd.

Company Profile

Transaction Network Services Inc.

New Products

A sweet POS

TouchSuite Pro
Invenstar LLC

Cloud-based terminal and cash register

SoundPOS
SoundPOS LLC

Inspiration

Clean up your stuff to clean up financially

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

May 24, 2010  •  Issue 10:05:02

previous next

PCI SSC steps up data security education

The PCI Security Standards Council (PCI SSC), the organization in charge of developing and managing the data security protocols that affect payment networks, hardware and software, initiated the Internal Security Assessor (ISA) Program for the training and certification of personnel at large-scale organizations. The program covers the fundamentals and intricacies of the Payment Card Industry (PCI) Data Security Standard (DSS).

The three-day courses are to be held regularly in cities around the world, starting in May 2010 in Sydney, Australia. The training is designed for the security assessment staff at entities like level 1 merchants, acquiring banks and processors.

At the end of courses, tests will be administered for the purpose of certifying personnel, such as businesses' information technology and risk management professionals, to perform internal assessments for their organizations.

"If you're a large merchant, some of the brands will allow you to do your own assessments," said Bob Russo, General Manager at PCI SSC. "And if you're going to do your own assessment, you certainly will want the people that are doing the assessment internally to be as well trained, if not better trained, than the QSAs [Qualified Security Assessors]."

QSAs are third-party vendors certified by the PCI SSC to audit the PCI compliance of entities' payment systems to ensure they are properly protecting cardholder data. The PCI DSS mandates that systems be audited annually.

Russo said the ISA-certified personnel will only be licensed to perform internal assessments for the companies that sponsored their participation in the training program. Certified assessors from sponsoring companies cannot join other businesses and perform internal assessments at those companies without being recertified, he added.

Positive step

According to the PCI SSC, the ISA program was developed based on feedback the council received from its stable of participating organizations - a virtual who's who of financial services and technology companies - on the need for improved PCI DSS education for internal staff.

Dr. Tim Cranny, Chief Executive Officer at Panoptic Security Inc., believes the desire among businesses for more education concerning the PCI DSS is a positive sign that they are taking their data security responsibilities seriously. "It's not that the level 1 guys don't know what they're doing or are hopeless," he said. "It's just that they're very properly saying, 'This is hard. Help us and give us tools.'"

Cranny believes the ISA program is a step forward in data security, as it fosters the mindset that businesses need to maintain their own internal PCI DSS experts, rather than rely only on the expertise of third-party data security providers, such as Panoptic.

But according to Cranny, too often the old mindset persists: businesses hire third-party security compliance vendors to help them pass the yearly PCI DSS audit.

It's akin to cleaning up your house before your mother-in-law arrives, Cranny said. "And that's not a bad thing," he added. "But the ideal is that things should be clean, tidy and safe to begin with. You're much better off to have things fixed and in a good state because your internal people know what to do, when, why and how all the time."

Secure inside and out

That is where Cranny sees the main benefit to the ISA program. "It's very easy but wrong to get into the thinking of [the PCI DSS audit] as a special event," he said. "And that's particularly the case, and happens more often, when the internal people don't have the skills and resources.

"So rather than security being seen as an external thing that they need to go and get ... you want it really baked into the fabric of the organization," he said. "So having internal people who know what to do and why to do it and get things ready [for the audit] is definitely a good thing."

But Cranny emphasized that businesses should not expect ISA certification to replace external audits by third parties.

"It would be wrong if either merchants or sections of the industry said, given that we have these internal tools, you no longer need external audits and so on," he said. "That would be going too far because there is real fundamental value in these independent audits and assessments.

"If [the ISA] is done in a way that you keep the independent assessment, but you're giving companies the tools and the resources to get ready themselves, that makes things more efficient for the company, it saves them money and it also helps them raise the level of their own security."

For more information about the ISA Program, go to www.pcisecuritystandards.org/education/isa_training.shtml.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems