By: Kevin Chojnowski, ISA, PCIP, Change Healthcare

As a qualified security assessor (QSA) certified by the PCI Security Standards Council, I have performed a large number of PCI assessments of all shapes and sizes in my career. This includes report of compliance (RoC) assessments, self-assessment questionnaire (SAQ) validations, gap analyses, and other consulting-related PCI services for a variety of retail establishments, service organizations, public utilities, healthcare organizations, and service providers. Any entity that stores, processes, or transmits credit card data is expected to comply with the PCI Data Security Standards (DSS), and may be required to complete a RoC or SAQ as evidence of their compliance posture. PCI Data Security Standards (DSS) version 3.2.1 is the current assessment standard, and it cites more than 350 security controls and provides the framework for lower-level assessments (such as SAQs). How credit card processing is done by a merchant or service organization can vary significantly and can cause confusion as to which PCI DSS controls are applicable. Further, there is often confusion about whether or not the controls that an organization has implemented are sufficient to meet the intent of the PCI DSS. These are some of the reasons why I often recommend to my clients that someone within their organization earn the internal security assessor (ISA) certification from the PCI Security Standards Council.

For organizations trying to attain and demonstrate compliance with PCI requirements, having an internal security assessor can reduce the risk of being out of compliance and help them secure their PCI environment. Whether your organization is completing an SAQ to meet its PCI compliance reporting obligation, or employing the services of a QSA company, an ISA can help interpret the PCI requirements internally or serve as a key liaison for the company as the QSA performs an external assessment.

The QSA's Perspective

Having someone inside the company who understands the PCI DSS, who knows what evidence the assessor is looking for, and who speaks the same language (terminology) as the QSA is invaluable during an assessment. An ISA understands storage, processing, and the transmission of cardholder data within the company’s environment and can serve as an effective liaison between the company and the QSA. The ISA knows where and who to go to get answers and evidence and are often seen as a partner during the assessment process. Anyone who has performed an audit or assessment will agree that the process is much easier when the company designates a knowledgeable champion to facilitate the assessment, and that’s precisely what an ISA brings to the table. The answer to the question of whether or not an organization should employ an ISA depends on a number of factors:

  • What is the size of the organization, and what resources do you have available?  
  • What type of PCI validation is required, and how many credit card transactions are being processed annually?  
  • What is the maturity level of your PCI DSS program?
  • Are your organization’s networks or processes for handling credit card transactions going through planned change?  
  • Are you implementing new technologies for storing, processing, or transmission of credit card data?  
  • Are you trying to reduce the scope of your PCI environment?

These are just some of the questions that need to be considered when determining if an ISA is right for your organization.

In addition, there is another important factor organizations should consider: The PCI DSS is currently going through the request for comments (RFC) process for updating the PCI DSS to version 4.0. The final standard will likely be published in Q4 of 2020 or Q1 of 2021 and may result in a significant change in how organizations are assessed. Although these changes may not affect your 2020 and early 2021 PCI assessments (there is typically a grandfather period for adoption of new PCI DSS version changes), having an ISA would be invaluable to any organization that needs to comply with PCI DSS version 4.0.

Is an ISA right for your organization? If you are asking me, the answer is yes. But then again, I am somewhat biased. For true insight, whether or not having an ISA on staff for your organization is right for you, let’s get the perspective of an ISA.

The ISA’s Perspective

As Internal Security Assessors (ISAs), we can work with our sponsoring organization towards the common commitment to securing cardholder data. As internal PCI subject matter experts (SMEs), ISAs provide assessment efficiencies to their organizations. ISAs are not typical SMEs; ISAs are specifically trained and certified on PCI requirements and assessment processes and share the same language as QSAs.

ISAs perform many security and compliance-related tasks, including continuous monitoring, internal assessments, working with the development and operations teams to recommend solutions for remediation activities, and new development opportunities to achieve or maintain PCI compliance. In this way, ISAs on staff can reduce compliance costs by helping in the development and maturation and ongoing security controls and processes.

ISAs create strong relationships with system control owners within their organizations and ensure the consistency and reliability of the organization’s compliance program. Through these relationships, ISAs are more familiar with the organization’s PCI environments, processes, and the security posture of the controls in place.

ISAs develop payment security expertise with in-house knowledge, and we drive and maintain PCI compliance for our sponsoring organizations. ISAs are also invaluable during annual assessments. ISAs know the control owners for each requirement, gather and review the required evidence, ensure each artifact meets the intended control prior to the QSA’s review, and provide improved efficiency for both the assessors and those being assessed. ISAs also provide added value in scheduling required interviews with control owners and facilitating any follow-up activity required.

ISAs are required to re-certify annually and, as a result, are up to date on industry changes, keeping the organization in front of changes and potential issues. With the upcoming major version update to the PCI DSS, an organization with an ISA on staff has advantages in understanding and planning for the changes to existing requirements as well as the new requirements. ISAs will be crucial in the development of controls, especially when an entity wishes to use the customized approach option for demonstrating compliance with certain PCI DSS requirements. ISAs also provide an organization with a PCI SME that can demonstrate how a defined control or a customized control meets the intended requirement, and an ISA has the knowledge and ability to demonstrate how a particular control addresses any possible grey area finding situations.

An ISA is also the entity’s direct contact with the QSA and the assessing firm, creating a partnership that can be instrumental to both parties. The frequent interaction and communication during assessment periods and beyond provides familiarity in processes and a cohesive work environment with common goals. ISAs who are part of a Participating Organization can ask questions directly to the Council, take part in the development of the PCI Security Standards by providing feedback through the Request for Comment process, and participate in PCI DSS Council Special Interest Groups.
In my experience as an ISA, what stands out is I have not yet met an ISA who is not excited about their role. From the ever-changing security landscape to the engagement with every aspect of their PCI environment, to the constant interaction with control owners, developers, operations and support, organization leadership, and most importantly, the QSAs and their associated firms, there are lots of opportunities for an ISA to bring value to his/her organization and the PCI compliance process.

Becoming an ISA

In order to become an ISA, the candidate has to be sponsored by their company. By sponsoring a candidate, the company shows its commitment to cardholder data security and to attaining PCI DSS compliance. The prerequisites for becoming an ISA are not as stringent as those for becoming a QSA. The requirements to have both high-level security and audit certifications do not apply to candidates for the ISA program, but having a fundamental knowledge of cybersecurity and/or IT audit does help. ISAs cannot perform assessments outside of their sponsoring company, but they can perform assessments for their company and complete self-assessment questionnaires (SAQ) to meet reporting obligations.

When an ISA’s name is included in the attestation of compliance (AoC), the merchant bank/acquirer and card brands have a higher level of confidence to the accuracy of the report, because the report is completed by someone who has been trained and is knowledgeable of the PCI DSS requirements. These benefits translate to assessments conducted by QSA firms as well. As a QSA, going into a company that that has an ISA on staff often results in a more robust and accurate documentation, as well as more effective testing and communication between the ISA and the QSA. After all, they are speaking the same language when it comes to the PCI DSS. Further, there is often a higher level of maturity in the security of the cardholder data environment, the quality of the documentation for both technical and administrative requirements, and fewer control test failures during a RoC assessment due to the ISA’s ability to properly interpret the PCI DSS requirements and “pre-test” certain controls to ensure proper functionality.  

The first part of becoming an ISA involves completing the PCI Fundamentals course. This is a seven-hour course that can be completed online, or instructor-led, and covers:

  • Understanding the Payment Card Industry Security Standards Council and its role
  • Defining the processes involved in card processing
  • PCI roles and responsibilities
  • Understanding cardholder data
  • Defining network segmentation
  • PCI DSS assessments

Once the candidate successfully completes the PCI Fundamentals course, they are eligible to attend the ISA Qualification course. This course covers the PCI DSS requirements, testing procedures, compliance reports, and a number of other subjects to help companies meet their PCI compliance with the data security standards (DSS). Some of the benefits of completing the ISA training include:

  • Understand the PCI DSS and how it can help protect your customer data and your business
  • Define the processes involved in card processing and network segmentation
  • Help your organization build internal expertise and assess its compliance with PCI Standards
  • Enhance payment card data security and manage compliance costs

ISAs play a valuable role in the PCI compliance process. They bring valuable insights to their organization’s PCI compliance program, control posture, and assessment process, and often improve the outcomes of PCI compliance initiatives as well.

You can find more information on the ISA program or how to become an ISA at https://www.pcisecuritystandards.org/program_training_and_qualification/internal_security_assessor_certification.

Learn more about PCI DSS