If you are looking at the PCI Professional (PCIP) program you may be asking “What’s in it for me?” or “Why should I take time out to study and either fund this myself or ask my employer to allocate already stretched training budgets to certification?” Here are three good reasons to consider the PCIP program for you and your organization.
1. Drives holistic security understanding
The PCIP qualification helps those who have responsibility for security controls understand how their contribution fits into the bigger picture. Operating security controls is a relentless process and we all know that controls have to be embedded into everyday ways of working to be effective. It is easy to let controls fall by the wayside over time. Understanding the context in which controls operate and how those controls fit together to form a layered security defense helps avoid that falling off. PCIP does this with a broad overview of the PCI Data Security Standard (PCI DSS) and unlike the Qualified Security Assessor (QSA) and Internal Security Assessor (ISA) roles, it isn’t focused on assessing controls. PCIPs know how the PCI DSS controls work together on an ongoing basis to provide defense in depth.
2. Facilitates the assessment process
In larger companies that are subject to annual assessments by a QSA, that assessment can be made easier by having PCIPs in the company as they know what to expect from a QSA, what the QSA will be looking for and how to provide that evidence. One model we’ve seen work well is having QSAs work with ISAs who in turn rely on PCIPs actually operating the controls within the company. The ISA works with the QSA to facilitate the assessment, drawing on evidence held by the PCIPs. This results in a smoother process for everyone involved.
3. It's personal
If you are working for a company whose clients need to be PCI DSS compliant then you need to be able to assure them that you understand their needs and that your products or services support their compliance efforts. And for that you need to understand PCI DSS which is, of course, where PCIP comes in.
The PCIP certification is personal. It relates to the person, not the company, so it stays in place if you change roles or employers. PCIPs receive a quarterly newsletter from the Council and are invited to attend the annual PCI Community Meetings. We now have more than 2,500 PCI Professionals, and we are looking forward to working more closely with this growing community in the years to come.
PCIP provides an opportunity to learn more about the PCI Standards and to demonstrate understanding by passing the PCIP exam. If you are responsible for operating PCI DSS controls in your company, working on a PCI DSS compliance project, or have clients that need to be PCI DSS compliant, then participation in the PCIP program could prove beneficial to you.
For more information on how the PCIP program can benefit you and your organization, download this case study.
Subscribe to this blog for the latest information on 3.2 and other PCI updates.