PCI-DSS Training/Certification Suggestions

mataimatai Member Posts: 232 ■■■□□□□□□□
Hey, I have to start doing some PCI-DSS assessments coming up. I'm somewhat familiar with that but would like to get training or maybe certified in it.

Do you all have any suggestions for PCI-DSS training or certifications?

Current: CISM, CISA, CISSP, SSCP, GCIH, GCWN, C|EH, VCP5-DCV, VCP5-DT, CCNA Sec, CCNA R&S, CCENT, NPP, CASP, CSA+, Security+, Linux+, Network+, Project+, A+, ITIL v3 F, MCSA Server 2012 (70-410, 70-411, 74-409), 98-349, 98-361, 1D0-610, 1D0-541, 1D0-520
In Progress: ​Not sure...


  • Options
    j.petrovj.petrov Member Posts: 282
    Matai, Look at doing the PCI-QSA.
  • Options
    jonenojoneno Member Posts: 257 ■■■■□□□□□□
    Your organization should look into ISA or PCIP training for you.
  • Options
    5ekurity5ekurity Member Posts: 346 ■■■□□□□□□□
    PCI QSA is the way to go.
  • Options
    636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    The question you need to ask yourself is whether or not you're going to be an assessor that rubber stamps orgs based on what's on paper, or do you have the skillset to actually test their systems on a technical level to see if they're doing what's on paper. In my experience most assessors go the rubber stamp route. Don't know too many who are technically proficient enough to actually investigate through the technical level.
  • Options
    dayglodayglo Member Posts: 30 ■■□□□□□□□□
    PCI-P is the certification you can achieve without working for a company which processes payment cards.
    If you have a company which processes, transmits or stores payment cards, you can take go for PCI-ISA (internal security assessor) certification
    To be a PCI-QSA, you take the same test as the PCI-ISA but you work for a company which can assess other companies for PCI compliance.

    I'm a PCIP and WAS a PCI-ISA but that is tied to the company I worked for.

    There are other PCI-based certifications specializing in forensics and payment processing, but i am not familiar with those.

    636 - PCI is the opposite of what you are stating. It is very "prescriptive", and for each of the "dirty dozen" and it 100+ subtasks, it looks for a policy, and whether or not the policy, technical, and detective controls actually satisfy the intent of what is required by PCI.

    It dives deep into the actual implementation of the intent of each requirement. It's definitely NOT a checkbox!
  • Options
    dayglodayglo Member Posts: 30 ■■□□□□□□□□
    Is your company certified to perform PCI assessments? If so, you can have PCI-QSA/ISA training and take the test. If you are assessing other companies, then you can be an PCI-QSA. If you are assessing your own company, then you can have the PCI-ISA certification.

    But if you are your company are not certified, than you cannot state that you are doing "PCI-DSS assessments". Rather, you are performing "PCI Readiness" or "PCI Gap asssessments". You can, however, become a PCIP.

    You can take the PCIP test (there is online mandatory training and an online test) if you or your company are not officially under PCI mandate.

    The PCI-QSA and PCI-ISA tests are identical. I believe the PCIP test is a bit different but I'm not 100% sure.
Sign In or Register to comment.