The Green Sheet Online Edition
September 24, 2012 • Issue 12:09:02
PCI SSC offers IT accreditation program
The Payment Card Industry Security Standards Council (PCI SSC) introduced an open accreditation program designed to certify information technology (IT) professionals on their knowledge and understanding of the Payment Card Industry (PCI) Data Security Standard (DSS). This news arrives as the council assesses feedback from its community of participating organizations on version 2.0 of the PCI DSS and the Payment Application (PA) DSS.
The new certification program, called the PCI Professional (PCIP) program, is geared toward individuals and does not require company sponsors. Thus the certificate is transferable from one employer to another. The program offers payments industry tutoring and, once the professional succeeds in passing the exam, a place on a searchable PCIP certificate list on the PCI SSC website.
The PCIP course is web-based and concentrates on the fundamental principles and procedures of the PCI DSS. Certification candidates have 30 days to complete the course. The first course begins Nov. 1, 2012, but testing is available now. Professionals may elect to forgo the instructional portion of the program and just take the test.
The tests may be taken at any of the more than 4,000 Pearson VUE Testing Centers around the world. Those who already hold Internal Assessor and Qualified Security Assessor certification can add the PCIP credential to their list of professional achievements by simply registering with the PCI SSC. Candidates need two years of IT experience to take the course and/or exam. PCIP-certified professionals must recertify every two years.
PCI SSC General Manager Bob Russo compared the PCIP program to the Certified Information Systems Security Professional (CISSP) certificate offered by the non-profit IT security professional-focused International Information Systems Security Certification Consortium.
"When we introduced the PCI DSS, we created a huge market for Qualified Security Assessors and Internal Security Assessors," Russo said. "ISAs wanted to know what assessors were looking for coming in. They wanted to know how to get ready for the assessment. This program helps companies that want to do their own assessments but need background on the payment card industry." Russo said test questions were developed by the council internally. The certificate provides a competitive advantage to IT professionals because it validates expertise and opens doors to more opportunities and rewards, he noted.
Feedback on PCI standards
The PCIP certificate program was launched the same week the council released industry feedback on version 2.0 of the PCI DSS and PA DSS. Version 2.0 is scheduled for release in October 2012. The feedback was offered from organizations and individuals across the spectrum of the payments industry. The council said more than 90 percent of the feedback concerned the PCI DSS - the main standard comprised of 12 overarching requirements.
The suggestions for improving the standard include:
- Prescribing use of specific tools, requiring approved scanning vendors perform internal scans and defining what constitutes a "significant change" (Requirement 11.2)
- Adding more guidance on scoping and segmentation
- Clarifying the terms "service provider" and "shared," and providing more prescriptive requirements regarding written agreements that apply to service providers (Requirement 12.8)
- Updating the self-assessment questionnaires
- Providing clarification and guidance on encryption and key management (Requirement 3.4)
- Updating password requirements, including expanding authentication beyond just passwords (Requirement 8.5)
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.