This week I sat through undoubtedly the best education I have had surrounding the payment industry and specifically PCI DSS. The training was provided by the Aegenis group for the Society of Payment Security Professionals – who include note worthies such as Michael Dahn of PCI Answers.com, and Chris Mark. The training was three very full days and covered their two subject areas – the Auditor and Manager portions. There is a fourth day that is made up of just under 5 hours of testing, so not really a day of learning but demonstration.
To provide some context here I need to highlight that I have attended the Visa QSA training, ETA training sessions, RSA VISA conference hall sessions, third party PCI training, and have even delivered PCI training. The attendees were a diverse group that included QSA, Acquirers, Issuers, ISOs, Merchants, and a variety of others. The group made the breaks tremendously valuable and really added to the course. Despite being a very full room and a three solid days of material and learning, I was very pleased with the material, presentation, and experience.
A bit of detail for those that deal with payment card information and would like to minimize their risks and maximize their operating budgets:
Auditor section (CPISA)
- The training is broken out for technical and manager / operators
- The auditor portion was very technical, but not in the biased security way that some courses provide
- The auditor section provide great detail on what should be in place and how to ensure compliance with the payment industries concerns (not solely that of PCI DSS)
- The auditor certification exam was moderately difficult for me, but less than others given my experience. Of course, this is all just optimism given the results take several weeks to be calculated!
Manager section (CPISM)
- This section was tremendously valuable – focused on the macro effect of having sensitive data and what strategically needs to be done
- That isn’t to say this was fluff – there was a constant flow of practical details from current challenges
- There was plenty of detail around the contributing regulations ( a personal passion of mine) that impact PII and these businesses
I can’t say too much given I signed a privacy and confidentiality agreement, but the bottom line is simple. If your business stores, processes, or transmits credit cards OR your business makes sure companies do not have security concerns for those systems you must take this training. The certification exams are extremely tough, the material is based on thousands of pages, and the days of training are the primer for your further education. Those who showed up to this training without preparation weren’t able to dive into the deep problems.
Enough of the payment industry for me this week. For a bit of variety check out this new breach involving ‘entities’ trying to hack into the candidates’ systems looking for a leg up on policy.
Fresh from Dallas,
James DeLuccia IV