At the last PCI Community meeting the Council introduced a new certification (yes one more!). After, ASV, QSA, P2PE QSA, ISA, PFI, QIR, there it is: The PCIP (Payment Card Industry Professionals) certification.
Firstly, to answer a valid concern from the QSA and ISA employees. QSA and ISA certifications are not assigned to individuals but to the couple (company, employee). Therefore the QSA/ISA employee status is lost whenever the individuals leave their employers. This fact is poorly known among the industry where job postings refer too often to "looking for a certified QSA". There is no individual certified QSA nor ISA. According to the Council, PCIP offers an industry credential that travels along with you and your career. This doesn't change the fact that independently of their PCIP status, former QSA's and ISA's have to go through the certification process when hired by another company.
Secondly, organizations subjected to compliance are supported by security professionals along their PCI journey (training, gap analysis, specific advices, solution integration, compliance management, pre-audit, and so on…). In this context, a certification could provide a kind of assurance of their level of understanding of the PCI matter.
What is the view of PCIco?
The PCIP sale pitch lists the following advantages to become certified.
- Be part of the PCIP community
- Get an individual credential recognized by the industry
- Get your PCI knowledge recognized
- Support your organization or customers ongoing compliance efforts
- Enhance your credibility
- Get competitive advantage
- Get public recognition of your professional achievement
Clearly PCIco wants to create a PCIP community by attracting individuals working within the PCI sphere: entry-level and seasoned security professionals, managers, executives, independent consultants and eligible QSA and ISA individuals. A huge number of certificates in perspective.
What is the view of the security community?
People who do not have a QSA or ISA certification, see this as an opportunity. Here is what Don Turnblade, recently PCIP certified, says about this certification: "In effect, the PCIP is useful for showing an approved level of understanding of the PCI DSS standards. Unless I took the QSA training from a QSA certified company, it would not allow me to audit or attest to PCI DSS compliance. However, it would make me a credible advisor for audit preparedness/pre-audit solutions advising and does not need to be attached to a QSA certified company as a consultant. Also, a PCI DSS QSA company could be quickly assured that if I would work with them, I have a credible level of PCI DSS QSA understanding". The only concern with it is that it is relatively unknown but we could trust the Council to push it through the PCI community. Probably within five years from now, PCIP would be required for any PCI job such as CISSP.
However QSA's and ISA's who may apply for the PCIP credential and qualification without completing PCIP-specific exams or training, don't really see any added value in this certification as a proof of their knowledge and experience.
How to get qualified?
The qualification process is straightforward.
You apply (Submit online application). Make sure to possess a base level of knowledge and awareness of information technology, network security, network architecture, and payment industry. As part of the application process candidates must submit their resume or CV evidencing at least 2 years of￼￼ work experience in an IT or IT-related role. This is to ensure they have the knowledge and experience to understand the training.
You pay the non-refundable fee (Application fee + training fee + Exam fee). This fee could range from $790 to $ 3635 depending on wether you take the training or not and wether or not you work for a participating organization which is strange for a individual certification!
You complete the on-line course (This is optional). Candidates has 30 days access to the online course. Course content includes:
1. Principles of PCI DSS, PA-DSS, PTS, P2PE, and PIN Security
2. Understanding PCI DSS v2.0 requirements and intent
3. Overview of basic payment industry terminology
4. Appropriate uses of compensating controls
5. How and when to use Self-Assessment Questionnaires (SAQs)
6. Recognizing how new technologies affect the PCI (P2PE, tokenization, mobile, cloud)
7. PCI Code of Professional Responsibility
8. Case study application
9. Resources available to stay current
You take the on-site exam (this is not optional ), a computer-based PCIP exam at a PearsonVUE test center. The Pearson VUE Testing Networks includes over 5,000 testing centers in over 165 countries. The test is 90 minutes in length with 60 questions. Most people complete it in 40 to 45'. The passing score is 75%. Suggestion: For planning purposes, assume the test needs an average of one answer per minute, skip problem questions if a minute worth of reasoning did not help and go back to them with the final 30 minutes for best guess selections.
Here is what some people say about the test.
If you have a solid understanding of ALL the sections in the DSS and review some of the material regarding P2P encryption and virtualization, etc, you should have no problem passing the test.
It's a fairly easy test for someone who is familiar with the requirements. I would add that you should have familiarity with the difference between certain networking protocols such as WEP vs WPA (i.e. which is secure and which is not), but that is covered in the requirements as well. What is not necessarily covered in the requirements is that you should also be familiar with payment card processing, such as authorization, completion and settlement and at what points the consumer, merchant, acquirer and bank process the transaction.
I was able to complete it with a passing grade in one pass in 45 minutes. Eliminating two options out of four was rather easy to do. My own sense was that 3 to 6 questions were quick kills for every one question requiring elimination skills to make a best answer. A small list of questions, no more than 6 total had me off balance. It would not be wise to assume a trivial reading of the standard would be sufficient preparation.
The exam is similar to the recertification exams that a PCI DSS QSA would take each year. I modeled my study for that exam from such training materials, and this worked well.
PCIPs must re-qualify every two years in order to continue to maintain their status and be listed on the PCI website.
The PCIP training course description on the PCI SSC website
PCIP Registration page
Pearson VUE Testing Centers (PVTC)
PCIP Program manager
email: email@example.com - phone - +1-781-876-6222.
Do you intend to take the PCIP certification? and Why?
Did you read our previous newsletter: PCI 30 second newsletter #25 - A new standard is born