Training & Qualifications for PCI DSS Compliance

PCI DSS compliance is a big business in its own right, and a training ecosystem has sprung up around it. But you need to understand there are two very different aspects to PCI DSS training:

  1. Training that allows you to perform, assist with, or support PCI DSS assessments; and
  2. Training for staff who work in organizations which handle PCI DSS cardholder data.

The first of these is essentially a form of professional development for information security professionals. The second is for anyone who works at a company handling cardholder data. These objectives are very different, so when considering PCI training understand what you hope to get out of it.

But first, remember “payment card info is sensitive for sure…”

Information Security Professional Track

The following programs are established by the PCI Security Standards Council. It’s the body which builds and maintains the PCI security standards. The Council also offers its own training programs in addition to maintaining the standards and operating certification exams.

In this regard, the Council is in line with other professional security organizations. As examples, (ISC)2 have their CISSP training, and ISACA operate various training programs.

At this time I am not aware of any exclusively free training options to prepare for these exams. The qualifications are perceived to have significant commercial value. The training options available reflect this.

PCI Security Standards Council

The PCI Security Standards Council (SSC) offers multiple training options. Most of these are aimed at employees of companies currently operating in the PCI compliant space.

It’s important to understand that for many of these, the employee is certified at their current company. If the employee moves to another company, your certification may not move with you.

If you work at a QSA Company, you already have lots of support to acquire and maintain necessary certifications. Your organization needs you to maintain your status so they can run their business. General information about the requirements to become a QSA, and their ongoing training requirements is available in our QSA information article.

PCI Professional

At the time of writing, the only portable qualification offered by the Council to individuals is the PCI Professional (PCIP). This is an entry-level certification but it is solely the individual who is certified. You don’t need to be sponsored by an eligible company in order to have this certification.

Discounts are given for PCIP certification if you work for a PCI member organization. This is the only difference between a member of the community, and as a member of the public.

The PCIP program is intended for people who want to demonstrate that

Further details on the PCI PCIP program are available at the PCI SSC site:

PCI Internal Security Assessor

The other cert offered by the PCI SSC to employees of non-QSA firms is the Internal Security Assessor (ISA) qualification. This is aimed squarely at employees of higher level merchants and service providers. If you are a level 3 or 4 merchant, you can elect to do a Self Assessment Questionnaire (SAQ) as your annual PCI review; if you are a level 1 merchant, you are required to have an on-site assessment that results in a ROC and AOC.

For level 2 merchants, while you have the option to complete an SAQ, there is a complication. Some card brands require that if you elect to do the SAQ rather than on-site assessment route, the internal auditor completing the SAQ must hold the PCI ISA qualification. If you work for such an organization, this may be worth investigating. Particularly so if you already have an internal audit department, with members of staff familiar enough with the PCI landscape to pass the PCI ISA exam.

Further details on the PCI ISA program are available at the PCI SSC site:

Free Training

There are no free training options that will take you all the way to a formal certification. But there is lots of free material out there to enhance your knowledge of the PCI DSS space.

YouTube

On YouTube there is lots of content of varying quality. Some of it is great; some of it not so much. Sorting the wheat from the chaff can be time consuming, so let me help out.

Much YouTube content is produced with the aim of selling you something. They’re basically an infomercial. When watching a video, understand what they’re trying to sell you. If it’s a specific security product to make your PCI compliance easier, keep an appropriate degree of skepticism. It may be a great fit for your organization, but it may not.

In general I find videos which are marketing consulting services to be more informative. They are written to show off the skills and depth of experience to be had if you choose to work with a group of people. They’re not trying to sell you a quick fix to a problem. So there is still bias and spin, but it’s in the direction of providing you with some useful knowledge.

Overview material

Ingram Micro are the worlds largest IT distributor, working with organizations of all different sizes. They consult in lots of different areas, one of which is PCI DSS. Per my comments above, they’ve put together some marketing videos to show off their consultants.

The Ingram Micro Cyber Security team have put together an excellent, 90 minute foundational training video. It’s a great introduction to both PCI DSS and card payments, and covers the following topics:

No.Topic
1Introduction to PCI DSS
2Anatomy of a Payment Card
3Understanding the Payment Ecosystem
4PCI DSS Requirements 1-12
PCI DSS Foundational Training Agenda

Cybrary

Cybrary provide an online training community focussed on IT certifications. In addition to delivering their training materials, the site has discussion forums for students. Currently, they offer two courses which cover PCI DSS:

Of these, the 6 hour course is free for everyone. It consists of training videos which you watch, and there are ungraded quizzes at the end of each video so you can track what you understood.

The MicroCourse includes both training videos which provide an overview of the material, and graded assessments to guage your understanding of the material. It’s not free, but if you’re not already a Cybrary member you may be eligible to do the MicroCourse through a free trial. If you are a member, then check if it’s available in your subscription.

James Madison University

Looking for an example of merchant PCI security awareness training? The good folks at James Madison University (JMU) have made their annual PCI DSS awareness presentation available to the public. If you’re looking to learn the very basics of PCI DSS, or need inspiration for your own awareness program, this is a good place to start.

The JMU material is very much focused on training staff at a merchant who are responsible for securely handling card transactions. That’s no bad thing, as it may be the most common use case for personnel dealing with payment cards. Because of this, they have individual pages outlining the security features of American Express, Discover, MasterCard, and Visa cards. That is 4 of the 5 original founding members of the PCI SSC, and it’s fair to assume JMU don’t have many dealings with JCB, so that’s an understandable omission.

Also note that this is slightly dated as it’s aimed at PCI DSS version 3.0 rather than the current 3.2.1. However, at the level of understanding that this material targets, there are essentially no differences between these two.