peshkova - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does a PCI ISA help enterprise security and compliance?

Enterprise compliance can be a burden to manage, which is where a PCI ISA can be helpful. Expert Mike Chapple explains how a PCI Internal Security Assessor helps with security.

What is a PCI Internal Security Assessor? I read that PCI SSC runs training programs for PCI ISAs, but I'm not...

sure what that is. What are they, and do they help enterprise compliance?

The Payment Card Industry Security Standards Council (PCI SSC) operates the Internal Security Assessor (ISA) program as a means for certifying the PCI DSS expertise of employees who work for merchants, banks and payment processors. This program is designed to work hand in hand with the PCI Qualified Security Assessor (QSA) program that certifies external assessors. The PCI ISA program provides a team of trained internal individuals who can easily work with QSAs and bring consistency and reliability to an organization's internal compliance process. Qualified organizations, therefore, can participate by having their internal security audit professionals apply for the ISA program, though the organizations themselves must become certified as an ISA Sponsored Company.

It's important to note that the ISA program, unlike the QSA program, is not mandatory. It is simply an opportunity for organizations to build their PCI DSS bench strength by having internal staff that are well qualified to work in the payment compliance field. Companies with a PCI ISA on board may find themselves better positioned to push back against the grey area findings issued by outside QSAs. A PCI ISA program member would also likely be more familiar with his organization's IT environment, internal processes and other compliance programs and requirements. Despite those benefits, ISA members may lack an outsider's perspective that can sometimes be valuable to the auditing process.

Individuals seeking to earn ISA status must be nominated by the merchant or service provider that employs them on a full-time basis. They must then complete an online or in-person training program and pass the PCI ISA certification exam.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out why the PCI SSC pushed back the TLS encryption compliance deadline

Learn what advice the PCI Special Interest Group has for compliance

Discover why the FTC is interested in PCI assessments

This was last published in September 2016

Dig Deeper on PCI Data Security Standard