After many discussions with people responsible for achieving and maintaining PCI DSS compliance within their organisation and hearing about their problems and pains, I often think about the skills they need and where they can get them. They could recruit, outsource or train with training being the most cost effective.
I noticed on the PCI SSC website the details of their “PCI SSC Internal Security Assessor (ISA) Program” and the benefits it can deliver to large or complex merchants so I decided to promote it as a way of achieving some of the required in-house skills.
Knowing many highly skilled QSAs I would always say that their extensive knowledge of different scenarios and industries makes them the back-bone of the PCI DSS, not just from an audit perspective but their advisory and guidance skills.
The ISA programme gives candidates the opportunity to build their PCI Security Standards expertise and strengthen their approach to payment data security, as well as increase their efficiency in compliance with the PCI Data Security Standards.
About the Training
Employee Education is the Best Defense for protecting your Organization’s Data Assets.
To address concerns about PCI compliance and card data security, the PCI Security Standards Council operates the Internal Security Assessor Program to assist firms seeking to educate their employees on PCI compliance regulations. The program trains, tests, and certifies organizations and individuals to assess and validate adherence to PCI Security Standards.
Who Should Attend?
ISA training is intended primarily for individuals who already possess significant relevant security audit and assessment experience (including but not limited to Network Security, Application Security and Consultancy, System Integration, and Auditing).
- Improve your understanding of PCI DSS and how it can help protect your customer data and your business
- Help your organization build internal expertise
- Facilitate interaction with a QSA for your organization
- Enhance payment card data security and manage compliance costs
- Earn CPE credits
The Format: The Council recognizes that students may prefer different learning environments and offers ISA training in two formats: Instructor-led (ILT) and online ELearning. Same content. Same qualification. You decide what’s best for you.
The ISA Training Program, for internal security assessment staff at ISA Sponsor Companies, is comprised of a four hour online pre-requisite course and exam called PCI Fundamentals followed by either an instructor-led course and exam or eLearning course and exam. Successful completion results in ISA qualification and PCI ISA certificate.
Pre-Requisite Course Curriculum: This portion of the training assures that all participants attending the ISA Training Course have the same baseline understanding of the PCI SSC, card data environment, and the related terminology along with the industry relationships within the credit card transaction flow. It concludes with a multiple choice test.
- Understanding the Payment Card Industry Security Standards Council and its role
- Defining the processes involved in card processing
- PCI roles and responsibilities
- Understanding cardholder data
- Defining network segmentation
- PCI DSS assessments
ISA Course Curriculum Covers:
The ISA course is the next step for those students who have successfully completed the pre-requisite PCI Fundamentals course. This course builds on the knowledge gained in PCI Fundamentals and delves into the actual PCI DSS requirements and testing procedures. In addition it addresses topics such Report on Compliance (ROC) documentation, QA ROC review, and compensating controls to name just a few. Also included in the instructor-led course are case studies that provide the ISA candidate with a simulation of assessment scenarios that may aid them in solving common problems found in their own environments. A multiple choice exam immediately follows the instructor-led course. The exam may be conveniently scheduled at a Pearson VUE Testing Center for students that take the eLearning course.
- What is PCI and what does it mean to companies that must meet compliance with the DSS?
- Industry overview
- Transaction data flow
- Relationships between various organizations in the process
- How the credit card brands differ in their validation and reporting requirements
- PCI Data Security Standard (DSS)
- Overview of 2.0
- Testing procedures
- What constitutes compliance
- PCI Hardware and Communications Infrastructure
- PCI Reporting
- Real world examples
- Overview of compliance issues and mitigation strategies
- Compensating controls
- Creating policies
- Modifying cardholder data environment
How to Register. Three Steps to Join as a Sponsor Company and Have your Employees Attend ISA training
Step 1 Submit required Sponsor Company documentation by mail.
- Original signed agreement, page 13 of the Validation Requirements document
- The representative noted as your company primary contact should be prepared to receive all PCI SSC related communications
- It is not required that your primary contact be an officer of your company
- Copy of your company business license (Articles of Incorporation are also acceptable)
- A fully completed Individual Certification page for each employee you wish to send to training
Step 2 An invoice will be issued via email to the primary contact listed on the agreement page once the application is received. Applications are reviewed within 5 business days of receipt.
The fees for the ISA training will be based on whether or not your company is a member of the PCI SSC Participating Organization Program.
The Participating Organization Program is a separate program and membership is not based on your company compliance to PCI DSS or the submission of the Sponsor Company documents outlined above.
Step 3 Upon receipt of payment, the designated primary contact will receive instructions for the online pre-requisite portion of the training. Once the PCI Fundamentals training and test have been passed successfully, the primary contact will receive the location details for the instructor-led class or login credentials for the eLearning class. This will not be released until online PCI Fundamentals training has been taken and the test passed.
2013 ISA Training Course Schedule
||Participating Organization Price
||Non-Participating Organization Price
||New Orleans, LA, USA
||Denver, CO, USA
||Orlando, FL, USA
||Boston, MA, USA
||Las Vegas, NV, USA
||Kuala Lumpur, Malaysia
Full details can be found here.