In his talk at the 2018 North America Community Meeting, COO Mauro Lance discusses how collaboration and feedback drive changes to PCI SSC programs. We discuss key points from his presentation below.
Can you provide an overview of PCI SSC programs? How have they evolved over the years?
Mauro Lance: PCI SSC Programs are created to support the successful implementation of the PCI Standards and have been a key component of the Council’s value proposition to the industry since its inception. We started with two programs in 2007 (QSA and ASV), and today we have reached 20 Programs with the launch of the PCI 3DS SDK Program this past summer. The programs are updated based on feedback from the industry which is received through the many participation venues that the Council has available to the industry.
Discussions at this year’s North America Community Meeting has focused a lot on the importance of industry feedback. How has industry feedback shaped PCI programs and how can stakeholders provide feedback to the Council on PCI programs?
Mauro Lance: Several of our new programs as well as significant changes to current ones are the result of industry feedback which is why dialogue with our constituency is so important to us, and why we continue opening new venues of participation. For example, the Associate QSA Program that we released earlier this year was in response to the feedback that the overall shortage of cybersecurity talent was making it difficult for QSA Companies to find suitable new assessors. As to new venues of participation, we just announced the creation of the Global Executive Assessor Roundtable to bring together senior leaders of assessor companies with insights from different regions of the world and experience on a wide variety of PCI assessor programs. In general we have several ways to collect feedback, for example each program, such as the QSA Program, has feedback forms, we also meet regularly with assessors both face to face and in webinars, and we have community meetings and forums in each region of the world.
Your presentation highlights changes to the Qualified Integrator and Reseller Program. Why were these changes implemented and how will they improve payment security?
Mauro Lance: Several key players such as the Retail Solutions Providers Association provided feedback to us on areas such as length and pricing, with the overall objective to reduce friction and increase participation. As part of the changes, as highlighted on several industry reports, we focused the training on three key controls that address the leading causes of payment data breaches for businesses: passwords, patching, insecure remote access. The Council has many resources for merchants, including infographics and videos on these three controls.
The Payment Card Industry Professional (PCIP) is another program highlighted in your talk. What are the benefits to this program? (mention PCIP networking event)
Mauro Lance: The PCIP Program was also implemented based on feedback from professionals that needed a foundational credential to acquire and demonstrate their professional knowledge and understanding of the PCI SSC standards. This program continues to grow and is now our largest participation program with over 3,000 active PCIPs. In addition to receiving specialized training to better understand the PCI Data Security Standard, this community receives a number of benefits including a dedicated networking event at the North America Community Meeting and a quarterly newsletter containing the latest payment security news from the Council. I encourage you to read a recent interview we conducted with Randy Braatz, a PCIP with Excentus, where he shares how this certification has helped him in his security career.
For those in the industry who weren’t able to attend this year’s meeting, what advice do you have to encourage participation in the Council and it’s programs?
I encourage those who couldn’t attend this year’s North America Community Meeting to take advantage of the many venues of participation available to them and become a PCI stakeholder to help influence the direction of the PCI Data Security Standards and Programs. For example, by becoming a Participating Organization they would get complimentary attendance at annual community meetings (the next one is in October in London!) hosted by the Council, receive two free Awareness Training eLearning sessions, have access to substantial training discounts on courses offered in instructor-led and eLearning formats such as ISA Training, nominate and vote for representatives to stand for election to the Council's Board of Advisors, and drive the Special Interest Groups (SIGs) that provide the Council with understanding and guidance on particular topics or technologies.