The Green Sheet Online Edition
May 28, 2012 • Issue 12:05:02
PCI to train, certify software integrators
Studies show improperly installed payment application software is the culprit behind most of the breaches and data theft among retailers in low-end merchant card categories. The payments industry's security standards watchdog, the PCI Security Standards Council (PCI SSC), said May 9, 2012, it is responding to this epidemic of data theft by offering training and certification to payment software integrators and resellers.
PCI SSC General Manager Bob Russo said that after the first training and certification process is complete, the council will publish a list of Payment Card Industry (PCI) Data Security Standard (DSS) certified integrators and resellers on its website.
The heart of the problem
"It's not the applications that are causing the problem," Russo said in an interview to promote The PCI Qualified Integrator and Reseller (QIR) program. "It's the way applications are installed that causes the problem."
Russo cited a report from the data security and compliance management company Trustwave Inc. stating that 76 percent of all data breaches Trustwave investigated in 2011 were caused by the people responsible for supporting POS systems.
"We've often seen cases where people install a system using the password that came with the software," Russo said. "This program is an attempt to make sure we are training the people who are doing the installing of these software packages."
Details of the program are evolving. The online classes will begin in late summer 2012. "The pricing for the training is not yet determined," Russo said. "We want to reach as many people as we can. We want to make this program attractive to people who want to be certified."
The recommended solution
The training is in response to a PCI SSC task force recommendation that the council provide "more guidance and best practices for integrators and resellers" along with a published list of PCI certified integrators and resellers around the world.
"The majority of breaches have moved to the Level 3 and Level 4 merchant," Russo said. "This task force was made up of the people feeling the pain and dealing with all aspects of these breaches." The task force consisted of merchants, acquirers, payment software vendors and representatives from the card companies.
Russo estimated the online class will take "probably 6 to 8 hours" to complete. It will be followed by a certification test. "If you were to take the course and the certification test it would probably take a day or two," Russo said. "It depends on how quickly you go through the materials. This is not rocket science here. This is security 101."
Additional materials on the program will be available in June or July 2012. PCI webinars promoting the training are planned for July. "We will launch the training in the end of July or the beginning of August," Russo said. "We plan to list the QIR's by late summer."
Russo said the council is not requiring that integrators and resellers be certified, but he believes integrators and resellers eventually may become "conspicuous by their absence" on the PCI list of certified installers.
For more information on the training, please go to www.pcisecuritystandards.org/training/index.php".
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.