ISA Training: Frequently Asked Questions about Decoding PCI Self-Assessments
Are you a level-two, level-three or level-four merchant in need of performing a PCI DSS self-assessment? Is your ISA trained through a properly accredited training program to perform SSC level assessment? Did I lose you at hello?
The Payment Card Industry (PCI) standards for information security (DSS or Data Security Standard) require that businesses show compliance when interacting with any form of credit card. The costs of noncompliance include increased processing fees, and, in some cases, the credit card company will not work with a specific merchant until that merchant is brought back into compliance with the security standard.
There are so many acronyms used when discussing PCI. What do they all mean?
Here are some helpful terms to know as we dive deeper into the topic of ISA Training and PCI self-assessments:
- PCI – The Payment Card Industry
- DSS – Data Security Standard
- SAQ – Self-Assessment Questionnaire
- ASV – Approved Scanning Vendor
- QSA – Qualified Security Assessor
- ISA – Internal Security Assessor
- SSC – Security Standards Council
How do I know which regulations my organization should abide by?
There are four levels of merchants as identified by the major card brands (though American Express’s and JCB’s transaction levels differ from the others, and Discover combines levels three and four).
- Merchant Level Four processes less than 20,000 of credit card transactions each year (American Express: less than 10,000 transactions);
- Merchant Level Three processes between 20,000 and 1 million credit card transactions each year (American Express: 10,000 – 50,000 transactions);
- Merchant Level Two does between 1 and 6 million transactions each year (American Express: 50,000 – 2.5 million transactions); and
- Merchant Level One does more than 6 million credit card transactions each year (American Express: more than 2.5 million transactions).
JCB recognizes only two transaction levels. Merchants transacting 1 million or more JCB transactions have requirements equivalent to Merchant Level One and those transacting less than 1 million JCB transactions have requirements equivalent to Merchant Level Three.
For levels two, three and four, the standards require that merchants complete a self-assessment questionnaire (SAQ), affirming full PCI DSS compliance and signed by an authorized signatory for the merchant company. This questionnaire, along with quarterly scanning by an approved scanning vendor (ASV), is designed to show that the organization has thought through its security mindset, understands the policies regarding PCI information and has plans in place to both minimize and respond to any data security events.
What is a Level Two Merchant ISA?
Since the level-two merchants are growing beyond the smaller organizations, their SAQ requirements are more stringent. Also, if a merchant (of any transaction level) has certain additional issues (e.g., recent data security breach or other risk factors), then the acquiring bank may require that the merchant meet level-one security standards. Depending on the requirements of the specific card company and the individual merchant, they may be required to use an outside Qualified Security Assessor (QSA) for an independent on-site assessment or a certified internal security assessor (ISA) to complete a self-assessment, formally executed by an officer of the merchant company.
Mastercard requires level-two merchants to have a certified internal security assessor perform the self-assessment, unless an on-site assessment is performed by a QSA. The ISA must be trained and qualified to provide the information management for a business’s PCI security needs. The ISA is a dedicated employee who has taken a PCI Security Standards Council (SCC) accredited course and passed it; this is an annual certification requirement.
What training is required for PCI SCC ISA certification?
The PCI SSC provides the ISA training and certification. Mastercard requires that an employee complete the accredited training program, including paying fees, passing the exams and signing the attestation page within the training program.
An ISA qualification is only applicable to an individual at one company while that employee is with the company. It cannot be transferred to other employees within the company or carried over with the employee if he or she moves to a different company.
Businesses and organizations that wish to apply for an ISA designation can do so here. The organization wishing to sponsor an ISA needs to meet several qualifications, including having a designated internal audit staff organized at either the departmental, group or divisional level. Additional requirements can be found on page five of the PCI SCC ISA training requirements document.
An ISA must also be a full-time employee of the sponsoring business and have a Sponsor Attestation on file. If the employee does not keep full-time status or fails to meet any of the other attestation, training, fees and other documentation requirements, the ISA qualification is no longer granted by the PCI SSC.
What Alternatives are There to Using an ISA?
For many businesses, the costs of a dedicated employee trained and certified annually outweigh the benefit of having a certified internal auditor. Again, for many other companies, their acquiring bank will not require them to have an ISA. The acquiring bank or the credit card company will have different requirements for each merchant or service provider. It is important to review the requirements for the card brands to be transacted (i.e., Visa, Mastercard, American Express, Discover, and JCB) with the acquiring bank when seeking to set up a compliance program.
For businesses that have to operate with a higher level of security assurance (businesses with more transactions or higher risk), the PCI industry requires that the merchant use a Qualified Security Assessor (QSA) instead of an ISA.
A QSA Company is a security, accounting, or related firm that goes through a different level of certification in order to qualify as a PCI SSC accredited auditing company. For larger organizations, a quarterly audit by a QSA is required by the PCI SSC, and, for the smaller level-two merchants, some credit card companies give the option to voluntarily use a QSA.
Engaging a third-party assessor may provide better results while reducing internal costs and the stress of an audit. A great QSA will also provide unique viewpoints on data security for an organization that an employee who meets the bare minimum for certification might not. However, QSAs must remain independent and cannot provide remediation assistance if they are engaged in an assessor role.
Level-two, -three and -four merchants not required to use a QSA or an ISA will often benefit by engaging a third party IT security assessor for self-assessment gap analysis and remediation guidance. A third party provider can assist the merchant in completing the self-assessment forms and becoming PCI DSS compliant.
While PCI is one area for which business must secure their data, personally identifying information (PII) is another. Whether using an ISA or a QSA, an organization should use the opportunity of the quarterly or annual self-assessment to also review how they treat PII and other sensitive information as applicable.
How can I learn more?
If you are still looking for information, this resource from Mastercard and this document from the Security Standards Council may be of help.
