A Thing
The Green SheetGreen Sheet

Friday, September 7, 2012

PCI SSC offers IT accreditation program

The Payment Card Industry Security Standards Council (PCI SSC) introduced an open accreditation program designed to certify information technology (IT) professionals on their knowledge and understanding of the PCI Data Security Standard (DSS). This news arrives as the council assesses feedback from its community of participating organizations on version 2.0 of the PCI DSS and the Payment Application (PA) DSS.

The new certification program, called the PCI Professional (PCIP) program, is geared toward individuals and does not require company sponsors. Thus the certificate is transferable from one employer to another. The program offers payments industry tutoring and, once the professional succeeds in passing the exam, a place on a searchable PCIP certificate list on the PCI SSC website.

The PCIP course is web-based and concentrates on the fundamental principles and procedures of the PCI DSS. Certification candidates have 30 days to complete the course. The first course begins Nov. 1, 2012, but testing is available now. Professionals may elect to forgo the instructional portion of the program and just take the test.

The tests may be taken at any of the more than 4,000 Pearson VUE Testing Centers around the world. Those who already hold Internal Assessor and Qualified Security Assessor certification can add the PCIP credential to their list of professional achievements by simply registering with the PCI SSC. Candidates need two years of IT experience to take the course and/or exam. PCIP-certified professionals must recertify every two years.

Like CISSP

PCI SSC General Manager Bob Russo compared the PCIP program to the Certified Information Systems Security Professional (CISSP) certificate offered by the non-profit IT security professional-focused International Information Systems Security Certification Consortium.

"When we introduced the PCI DSS, we created a huge market for Qualified Security Assessors and Internal Security Assessors," Russo said. "ISAs wanted to know what assessors were looking for coming in. They wanted to know how to get ready for the assessment. This program helps companies that want to do their own assessments but need background on the payment card industry."

Russo said test questions were developed by the council internally. The certificate provides a competitive advantage to IT professionals because it validates expertise and opens doors to more opportunities and rewards, he noted.

The PCIP program is added to a growing list of PCI training programs. Russo promised the council will add more certification courses as they are needed.

Feedback on PCI standards

The PCIP certificate program was launched the same week the council released industry feedback on version 2.0 of the PCI DSS and PA DSS. Version 2.0 is scheduled for release in October 2012.

The feedback was offered from organizations and individuals across the spectrum of the payments industry. The council said more than 90 percent of the feedback concerned the PCI DSS – the main standard comprised of 12 overarching requirements. The suggestions for improving the standard include:

  • Prescribing use of specific tools, requiring approved scanning vendors perform internal scans and defining what constitutes a "significant change" (Requirement 11.2)
  • Adding more guidance on scoping and segmentation
  • Clarifying the terms "service provider" and "shared," and providing more prescriptive requirements regarding written agreements that apply to service providers (Requirement 12.8)
  • Updating the self-assessment questionnaires
  • Providing clarification and guidance on encryption and key management (Requirement 3.4)
  • Updating password requirements, including expanding authentication beyond just passwords (Requirement 8.5)
end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing