The Green Sheet Online Edition
May 24, 2010 • Issue 10:05:02
PCI SSC steps up data security education
The PCI Security Standards Council (PCI SSC), the organization in charge of developing and managing the data security protocols that affect payment networks, hardware and software, initiated the Internal Security Assessor (ISA) Program for the training and certification of personnel at large-scale organizations. The program covers the fundamentals and intricacies of the Payment Card Industry (PCI) Data Security Standard (DSS).
The three-day courses are to be held regularly in cities around the world, starting in May 2010 in Sydney, Australia. The training is designed for the security assessment staff at entities like level 1 merchants, acquiring banks and processors.
At the end of courses, tests will be administered for the purpose of certifying personnel, such as businesses' information technology and risk management professionals, to perform internal assessments for their organizations.
"If you're a large merchant, some of the brands will allow you to do your own assessments," said Bob Russo, General Manager at PCI SSC. "And if you're going to do your own assessment, you certainly will want the people that are doing the assessment internally to be as well trained, if not better trained, than the QSAs [Qualified Security Assessors]."
QSAs are third-party vendors certified by the PCI SSC to audit the PCI compliance of entities' payment systems to ensure they are properly protecting cardholder data. The PCI DSS mandates that systems be audited annually.
Russo said the ISA-certified personnel will only be licensed to perform internal assessments for the companies that sponsored their participation in the training program. Certified assessors from sponsoring companies cannot join other businesses and perform internal assessments at those companies without being recertified, he added.
According to the PCI SSC, the ISA program was developed based on feedback the council received from its stable of participating organizations - a virtual who's who of financial services and technology companies - on the need for improved PCI DSS education for internal staff.
Dr. Tim Cranny, Chief Executive Officer at Panoptic Security Inc., believes the desire among businesses for more education concerning the PCI DSS is a positive sign that they are taking their data security responsibilities seriously. "It's not that the level 1 guys don't know what they're doing or are hopeless," he said. "It's just that they're very properly saying, 'This is hard. Help us and give us tools.'"
Cranny believes the ISA program is a step forward in data security, as it fosters the mindset that businesses need to maintain their own internal PCI DSS experts, rather than rely only on the expertise of third-party data security providers, such as Panoptic.
But according to Cranny, too often the old mindset persists: businesses hire third-party security compliance vendors to help them pass the yearly PCI DSS audit.
It's akin to cleaning up your house before your mother-in-law arrives, Cranny said. "And that's not a bad thing," he added. "But the ideal is that things should be clean, tidy and safe to begin with. You're much better off
to have things fixed and in a good state because your internal people know what to do, when, why and how all the time."
Secure inside and out
That is where Cranny sees the main benefit to the ISA program. "It's very easy but wrong to get into the thinking of [the PCI DSS audit] as a special event," he said. "And that's particularly the case, and happens more often, when the internal people don't have the skills and resources.
"So rather than security being seen as an external thing that they need to go and get ... you want it really baked into the fabric of the organization," he said. "So having internal people who know what to do and why to do it and get things ready [for the audit] is definitely a good thing."
But Cranny emphasized that businesses should not expect ISA certification to replace external audits by third parties.
"It would be wrong if either merchants or sections of the industry said, given that we have these internal tools, you no longer need external audits and so on," he said. "That would be going too far because there is real fundamental value in these independent audits and assessments.
"If [the ISA] is done in a way that you keep the independent assessment, but you're giving companies the tools and the resources to get ready themselves, that makes things more efficient for the company, it saves them money and it also helps them raise the level of their own security."
For more information about the ISA Program, go to www.pcisecuritystandards.org/education/isa_training.shtml.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.