More help is on the way for companies struggling to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Merchants and service providers will soon be able to send their own staff on a PCI-certified internal auditor course to learn about the standard and to become qualified Internal Security Assessors (ISAs). The ISAs would not remove the need for a third-party audit by a QSA. They would, however, work with QSAs to enable companies to take more responsibility for their own compliance programmes and to be less at the mercy of sometimes conflicting advice offered by external Qualified Security Assessors (QSAs) during a PCI assessment.
The first courses are being introduced by the PCI Security Standards Council (SSC), which manages the PCI DSS programme, in the US in June. The first European courses will take place in Barcelona in October.
Bob Russo, general manager of the PCI SSC, said that further courses would be rolled out later, and that several big UK companies had already expressed interest in sending their people to the courses.
"Any merchant or services provider can send their internal people for three days of training with a certification test at the end," Russo said. "It will certainly enable them to enhance the quality and reliability, and more importantly the consistency, of their PCI DSS programme, even if they're doing their own self-assessments. If they are not doing their own self-assessments, it will support consistent and proper application of the DSS and the controls associated with it, in conjunction with the QSA. It should facilitate better interaction with the QSAs because the new ISAs will know what's expected of them when they prepare for compliance."
The ISA programme is part of a package of recent measures introduced by the SSC to tighten up the way QSAs and their companies operate. Many merchants, especially in Europe, have complained about a perceived lack of expertise and consistency among different QSAs.
To answer that criticism, the PCI SSC just over a year ago launched a quality assurance programme for QSAs, and Russo said it is already helping to ensure consistency among QSAs. Not only must QSAs now undergo a more stringent initial training, but they must also get annual re-certification, and those who fail are put into remediation until they can attain the required standard.
The SSC's website lists all certified QSAs, and when it puts any individual into remediation, his or her entry on the site is tagged and marked in red, so that merchants can easily check a QSA's status. The site is now updated every week.
Russo said the PCI SSC soon hopes to further improve the QA programme by certifying the companies employing QSA consultants. "Every one of the QSAs is obliged to go through training and re-qualification every year. Once that is done, we will then begin looking at each of the QSA companies to ensure they have their own internal QA programme in place," Russo said. "We want to make sure they are looking at the right things and are controlling the QSAs, and making sure that everybody has the proper training."
Detailed annual checks will be applied against the 15 to 20 companies that, according to Russo, account for nearly 80% of all the PCI DSS compliance work done globally. Other companies can expect to be checked every 18 to 24 months, he said.
In a separate move, the SSC has appointed a new regional director to look after Europe. He is Jeremy King, who previously worked for Mastercard, and has already served on PCI DSS working groups. His role, said Russo, will be to act as a local contact point and deal with the specific requirements of European countries in complying with PCI DSS.