Friday, November 18, 2016

Becoming a Payment Card Industry Professional (PCIP)

 

I am very proud to say that I now hold the Payments Card Industry Professional (PCIP) certification. This is a journey that took me about 6 months to complete and I'll share some tips and experience I've picked up on my way to becoming certified.

The registration process starts by submitting your application as well as supporting documentation to the PCI Council via their website. The approval typically takes about two weeks and it might be that they ask you for proof of work experience and additional security certifications. In my case I've been fortunate to have about a decade of experience in the InfoSec field in general, and 3 years working for clients who need to be PCI-DSS compliant.

What do you need to do?

Once your application is approved you need to attend the PCIP course. This can be either on-line or classroom based. If you are new to the PCI-DSS field I would strongly suggest attending the classroom training, as access to the instructor as well as conversing with peers in the industry can be invaluable. If you have PCI-DSS experience then the on-line course will suffice.

Once you have completed the course, the PCI Council will register a user ID for you on the Pearson Vue website and provide you with a voucher to take the exam. It is up to you to do the booking on the Vue website. It is important to note that you have to use this voucher within 30 days of your training. If you fail the exam you can book to take it again at your own cost. If, heavens forbid, you fail it a second time you will have to attend the PCIP course again.

Preparing for the exam

First and foremost, know the PCI-DSS 3.2 Standard inside out. You do not have to know things like requirement 3.2.1 states that etc. You will however need to know how to successfully meet every requirement. In my case there was also a strong focus on the various Self-Assessment Questionnaires (SAQs) and in which cases they would be applicable. I was not tested on Reports of Compliance (ROC) or Attestation of Compliance (AOC) at all.

You should also know when encryption, strong cryptography, hashing, tokenization and masking should be used as well as the difference between all these. Make sure you know exactly when Compensating Controls are allowed, as well as what are the requirements for acceptance of those. I got maybe one or two question from the supplemental (Virtualization and TLS specifically). You don't have to study them in depth, but do read through them and understand the intent.

Next Steps

I find assisting our clients on their path towards PCI-DSS compliance to be an extremely challenging and rewarding endeavour. As such, the next step on my journey is to become a PCI Internal Security Assessor. I believe this will add tremendous value over and above that which we already provide to our clients in the financial services sector.