Tower of Limes, by Darwin Bell

Tower of Limes, by Darwin Bell

The PCI Council released a training course on PCI DSS 3.0 (via Security Innovation) dubbed an “Insider’s Guide” to the new standard. The training has a price tag to get access to the materials, and some might deem it a bit hefty considering it is only a 90-minute course. In fairness, the Council is competing with free here as a number of experts have already built, delivered, and recorded courseware for on-demand viewing on these differences. So any price for materials might appear to be “hefty.”

Also, don’t forget the Council already released this freely available document which should theoretically cover all of the same materials.

Is there overlap with existing training offerings? If you are relatively new to PCI DSS and have a basic understanding of the standard, this course may be a good starting point (full disclosure: I do not have access to the materials so this should not serve as an endorsement of the training). If you are a veteran, there may be other resources (like the free guide above) that serve you better.

Let’s take a look at the official, sanctioned training offerings they have in place:

  • PCI Awareness: anyone who is looking for general knowledge on PCI DSS without having a certification to show attendance. On-site courses are $1,000/seat, and eLearning courses are anywhere from $300-500/seat, depending on the number of seats.
  • PCI Professional (PCIP): anyone who is interested in getting some kind of knowledge-based certification on PCI DSS that they can carry with them, irrespective of their formal employment arrangements. This APPEARS1 to cost a minimum of $2,250 for year one & two ($1,400 for POs), and then $100/yr following.
  • Internal Security Assessor (ISA): anyone who is interested in performing assessments for their companies internally, where applicable per payment brand rules. Cost on this one is $2,600 for the initial ($1,500 for POs), and $1,000 every year after. I have argued in the past that ISAs play an important role during PCI Assessments even if you are leveraging a QSA to do the work.
You talking to me?, by Ped-X-Ing

You talking to me?, by Ped-X-Ing

The Insider’s Guide to PCI DSS 3.0 is targeted at anyone interested in the differences between 2.0 and 3.0. This 90-minute course appears to be developed by Security Innovation, sanctioned by the Council (see this press release), and completely focused on the differences between 2.0 and 3.0. The introductory cost is anywhere from a 30-36% discount off of list on a sliding scale (retailing at $49-249/seat), depending on volume. It may be useful as a stop-gap for those who are waiting for their annual training requirement to come up to see the 3.0 changes from that perspective, but I would expect any relevant changes to the standard to be covered in the other training above. I also argue that your choice on this training should align with your organization’s intentions around PCI DSS 3.0. If you are not planning on reporting 3.0 compliance before your annual training requirement in one of the above courses, you may be better waiting for the material as tailored to your particular course.

For those subject to 3.0, how do you feel about paying for information like this? Regardless if you think it should be made free or made more comprehensive, please exercise your rights as a member of this large community and send feedback to the Council. Either way, your feedback will help shape how the Council offers training in the future.

Now, If you are looking for some free training (albeit, not on PCI DSS), check out this free iOS Hacking Course! It’s from a colleague and shows some of the basics associated with iOS and security.

This post originally appeared on BrandenWilliams.com.

  1. Why do I say APPEARS all over this post? Take a look at the training sections. The council has tons of different prices broken out on this one, but does not show you a clear pathway to getting the certification. I was once told that it was only $99, but this doesn’t seem to jive with what is on the website. []