What is a PCI Internal Security Assessor? I read that PCI SSC runs training programs for PCI ISAs, but I'm not...
sure what that is. What are they, and do they help enterprise compliance?
The Payment Card Industry Security Standards Council (PCI SSC) operates the Internal Security Assessor (ISA) program as a means for certifying the PCI DSS expertise of employees who work for merchants, banks and payment processors. This program is designed to work hand in hand with the PCI Qualified Security Assessor (QSA) program that certifies external assessors. The PCI ISA program provides a team of trained internal individuals who can easily work with QSAs and bring consistency and reliability to an organization's internal compliance process. Qualified organizations, therefore, can participate by having their internal security audit professionals apply for the ISA program, though the organizations themselves must become certified as an ISA Sponsored Company.
It's important to note that the ISA program, unlike the QSA program, is not mandatory. It is simply an opportunity for organizations to build their PCI DSS bench strength by having internal staff that are well qualified to work in the payment compliance field. Companies with a PCI ISA on board may find themselves better positioned to push back against the grey area findings issued by outside QSAs. A PCI ISA program member would also likely be more familiar with his organization's IT environment, internal processes and other compliance programs and requirements. Despite those benefits, ISA members may lack an outsider's perspective that can sometimes be valuable to the auditing process.
Individuals seeking to earn ISA status must be nominated by the merchant or service provider that employs them on a full-time basis. They must then complete an online or in-person training program and pass the PCI ISA certification exam.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out why the PCI SSC pushed back the TLS encryption compliance deadline
Learn what advice the PCI Special Interest Group has for compliance
Discover why the FTC is interested in PCI assessments
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading