The Payment Card Industry Security Standards Council plans to recruit more soldiers in its ongoing war against fraudsters and cybercrooks. It’s allowing any individual with a security background or interest in payments security to become a certified PCI Professional.
The PCIP program, which includes web-based training and an exam, represents the council’s first offering geared toward individuals not necessarily associated with a business or organization, says Bob Russo, the PCI council’s general manager. The web-based training will be available Nov. 1 on the council’s website.
“We’re looking at it as a really good addition to our training,” Russo says. “More education means better security.”
Previously, completing PCI payments security training would allow a security technician to certify as an Internal Security Assessor tied to a specific company, or a Qualified Security Assessor capable of reviewing and certifying a merchant payment system as compliant, Russo says.
“Now, anybody can obtain this new certification and become well-versed in PCI standards and put it on their business card that they are trained in payments security,” Russo says.
The council created the PCIP program, which targets individuals with at least two years of information technology experience, after receiving feedback from PCI’s participating organizations, he adds.
“They kept asking why individuals couldn’t receive the training, so that more IT professionals and others could have this expertise,” Russo says.
An individual completing the PCIP training “could not peddle himself as a Qualified Security Assessor” because a QSA must have support from a business or organization and satisfy insurance requirements, Russo says.
Otherwise, a PCIP-trained technician could capably serve as an independent contractor helping a merchant understand compliance standards, or operate as a payments security staffer at an organization, Russo adds.
“They wouldn’t qualify as someone who could certify my payments system as compliant, but they would qualify as someone who could help me remediate some issues if I were a merchant looking for help,” Russo says.
Persons interested in security technology will likely embrace the opportunity to develop more skills through training, says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.
McNelley agrees that more education equates to better security, but she hopes to see PCI develop security awareness training for merchants, and make it a requirement for PCI compliance.
“It’s probably most needed at the merchant level because they need to understand the security aspects of their systems,” McNelley says. “Too many merchants view PCI as a necessary evil and just a box to check off [that their system is compliant].”
For now, the council encourages merchants to take advantage of the PCIP training by having their IT employees participate to build PCI compliance expertise internally at businesses.
Currently, PCI has certified nearly 1,100 Internal Security Assessors and more than 1,700 Qualified Security Assessors operating out of more than 250 active QSA companies, according to council figures.
The PCI council plans to eventually increase those numbers with PCIP as a foundation and potential stepping stone to further security education, Russo says. In addition, the council will list those with PCIP certification in a global directory on the PCI website. Þ
Candidates seeking the PCIP certification have 30 days to complete the training module prior to scheduling the written exam at one of more than 4,000 Pearson VUE Testing Centers worldwide. Those who believe they have a solid background and can complete program requirements can skip the training and only take the exam, Russo says.
The council outlines the training requirements and costs, which vary for participating organizations and those not affiliated with PCI, on its website.
Years may pass before some merchants realize any savings from the debit card interchange-fee cap mandated by the Durbin amendment to the Dodd-Frank Act.
The measure, which President Obama signed into law a year ago, compelled the Federal Reserve to limit such fees. The Fed set the cap at 21 cents and gave issuers some leeway to add a few more cents to address fraud and other costs, which compares with the current average of 44 cents. The new fees take effect Oct. 1.
But the time it will take for those reduced fees to filter down to small merchants may depend upon the pricing strategies of independent sales organizations that signed up the merchants for debit card acceptance, observers say.
Merchants with pricing that goes by any of three names–pass through, interchange plus or cost plus–may receive the pricing break immediately, says Adil Moussa, an analyst with Boston-based Aite Group LLC. ISOs using that method are bound by their merchant agreements to simply add a fee of a few cents to the interchange rate that bank networks assess, he says.
Merchants with pricing called bundling probably will not receive the reductions anytime soon, observers say. Bundling typically divides the 70 to 80 fees set by each card brand into three broader groups that simplify monthly statements, says Moussa.
Independent sales organizations have no obligation under bundling to pass along the savings and may keep their fees unchanged and pocket the difference, observers claim.
However, that windfall for ISOs will erode over time because of competitive pressures, says Jeff Fortney, vice president for ISO channel sales at Clayton, Mo.-based Clearent LLC.
ISOs already are making their pitches to merchants, promising lower prices by switching merchant-service providers and thus laying the groundwork for dwindling margins, Fortney says.
Moussa points out, however, that 18 months to two years could pass before all of the savings find their way to small merchants. Fortney maintains that some experts expect the lag to stretch as long as three years.
Spotty awareness of the Durbin amendment and what it means may slow the process of spreading the reduction to merchants, Moussa contends.
Large merchants, which have payments experts on their staffs, pushed hard for passage of card regulation and seem extremely unlikely to allow the potential savings to go unnoticed, Moussa says.