PCI SSC is in the process of launching a new program to train and qualify security professionals to perform assessments using the PCI PIN Security Standard. Gill Woodcock, Senior Director of Certification Programs, provides an update on this effort and how it will improve the security of payments.
The PCI Security Standards Council is launching a new program to qualify security professionals to perform assessments using the PCI PIN Security Standard. Can you tell me a little bit more about that?
Gill Woodcock: PCI SSC is announcing the Qualified PIN Assessor (QPA) program. These security professionals will be trained and approved by PCI SSC to perform assessments using the PCI PIN Security Standard. New instructor-led training and quality management processes are being developed to support this new program. PCI SSC will list Qualified PIN Assessor Companies and their certified employees on its website.
The latest publication of the PCI PIN Security Standard is a response to the payment card industry’s feedback for one unified PIN security standard that will simplify the security assessment process for stakeholders. Published in August 2018, Version 3.0 of the PCI PIN Security Standard is a result of collaboration between PCI SSC and the Accredited Standards Committee (ASC X9) to create one unified PIN Security Standard for payment stakeholders.
Launch of the QPA Program has been developed to provide additional benefits to the payment card industry by providing a standard certification and centralized list of approved PIN Assessor Companies that will ensure high quality QPA services for merchants and service providers into the future.
What does this mean for companies and individuals currently performing PIN assessments?
Gill Woodcock: Existing PIN assessors may already qualify to become QPAs if they have been performing 3rd party PCI PIN assessments for at least two years and have been trained and certified by either VISA as a Security Assessor for PIN or Certified TG-3 Auditor (CTGA), including continuing education bi-annually. Existing PIN assessors must belong to a qualified QPA Company and will need to attend the instructor-led PIN training prior to certification and listing as a QPA. After two years, these assessors must meet all the QPA qualifications as defined in the QPA Qualification Requirements on the PCI website. Existing PIN assessors should review the QPA Qualification Requirements to understand all applicable requirements for existing QPA company and their individual QPAs.
Who will determine when a QPA is required?
Gill Woodcock: The Payment Brands, Networks and Acquirers will continue to determine the compliance requirements associated with their PIN Security programs including use of QPAs, deciding which entities must undergo an assessment, frequency and the reporting process for the PIN Report on Compliance (RoC) and PIN Attestation of Compliance (AoC) produced as part of each assessment.
Will PCI SSC have a website listing for entities which have been successfully validated against the PCI PIN Security Standard?
Gill Woodcock: No, PCI SSC will not be listing entities which have been validated against the PCI PIN Standard. This remains within the remit of the payment brand compliance programs.
Can those who have not performed PIN assessments previously apply to become a QPA?
Gill Woodcock: Yes, security professionals with at least three years of advanced security experience including: cryptography, key management, network security, systems security and performing security assessments may apply to this new program. Candidates will be required to have two industry certifications. For the full list of requirements, refer to section 3.2 of the QPA Qualification Requirements located in the document library of the PCI SSC website.
Is it a pre-requisite to be a Qualified Security Assessor (QSA) before becoming a Qualified PIN Assessor?
Gill Woodcock: No. While QSA Companies and QSAs are welcome to apply to the QPA program, if they meet the qualification requirements, it is not necessary for a company or an assessor to first be certified as a QSA before applying for certification as a QPA.
What are some considerations for organizations looking to become a QPA Company?
Gill Woodcock: Companies must meet the company-level requirements set out in the QPA Qualification Requirements. This includes having the necessary skills and experience on staff, having a quality assurance program, having processes for protection of confidential information and being able to provide client references from relevant security assessment engagements. There is an annual company fee that will permit the QPA Company to perform PCI PIN Assessments globally, and QPA Companies must have insurance for any region in which they operate. Once the QPA Company application is approved by the Council, the Company may then submit applications for QPA Assessors and register them for instructor-led training. The Council will begin accepting QPA Company applications on 20 February 2019.
When will the first training class be available for QPAs?
Gill Woodcock: The first training class has been scheduled for South Carolina, June 11 and 12, 2019. Please refer to the QPA Training page which will be available on 20 February on the PCI website for all the QPA training dates in 2019 and possible updates.