Shredded Brick, by DaveBleasdale

What does it cost to be a PO? As if this writing it costs US$3,750 annually (originally US$2,000), For most companies, $3,750 per year is a drop in the bucket.

Originally, the big benefit of being a PO was getting involved in the shaping of the Standard when the program was launched. Big changes meant huge benefits from collaboration as firms were dramatically overhauling their technology stack to comply with PCI DSS. The Standard was new, generated lots of questions, and early adopters needed collaboration.

PO Benefits Review

Let’s take a look at the current benefits on the PCI Council’s website.

[…] the opportunity for advance review of standards and supporting materials before release, with the opportunity to provide comments directly to the Council prior to release.

In the olden days, this benefit had tons of perceived value. Changes were usually major and on a biennial basis. Nowadays, changes are minor and less frequent. Today, major changes tend to generate pushback, such as the SSL/TLS debate. Even with this debate, adjustments were made post-release—indicating that any pushback received before the release was not as effective as needed.

The effectiveness of being able to provide commentary was always questionable in my mind. So many companies in the late 2000s were focused on ways to make PCI DSS easier, more watered down, or just overall less onerous. In cases like this, the squeaky wheel just squeaked, which is why I believe associations such as NRF, ETA, NACHA, and others organized and lobbied to send a stronger message. One PO’s voice is lost, but when NACHA calls…

All Participating Organizations also receive access to exclusive communications like the weekly PCI Monitor.

Perhaps it’s the single greatest piece of weekly literature that anyone in our industry receives. If you agree/disagree, drop a note below in the comments.

The Council provides a sample to review in the December 7, 2016 issue, which included:

  • A draft release of some scoping guidance from last year.
  • A new FAQ document for non-listed encryption solutions.
  • Welcoming new POs.
  • Registration for a webinar.
  • 2017 Board of Advisor election process.
  • A promotion for the Middle East and Africa Forum as well as a promotion for QSA, PCIP, and ISA training.
  • More pitches for PCI Awareness, Corporate Group Training, and ISA training.
  • A list of news items, upcoming events and links to the four previous issues.
  • Social links (which I giggled at).

I counted one preview item that may be of value, a FAQ that is probably of value to a subset of readers, and many advertisements for Council-provided products and services. I don’t know about you guys, but it looks more like a sales outreach than something of value to a PO.

Members also receive exclusive access to quarterly webinars

The Council has gone to great lengths to point questions back at QSAs, many of whom are more than happy to do quality content for free.

[…] have the opportunity to contribute to our blog PCI Perspectives which provides another way for sharing insights, expertise and lessons learned that will benefit the PCI community and the industry as a whole.

I’m not sure if that’s a benefit for the PO or the Council. Free content that the Council can syndicate? Which party gets the value?

Complimentary attendance at annual community meetings hosted by the Council

This was also the other huge benefit when the program was launched. It allowed all parties to gather together and network, discuss, and challenge items in the standard. Assuming that you could attend the event for free, and your budget of airfare and hotel was negligible, is the time out of the office worth it?

Receive two FREE Awareness training eLearning sessions

Awareness training is good, but only two free seats? Frankly, if an unlimited number of individuals can be listed as part of the PO, then the training should be unlimited. It costs nothing to deliver, and would allow entities who must comply with PCI DSS to check off Requirement 12.6.1. I also realize this is a potential revenue hit for the Council.

Substantial training discounts on courses offered in instructor-led and eLearning formats

If you have a ton of folks going through the official training, such as ISA training, this is a good benefit. If you don’t have more than four or five employees receiving training annually, the math doesn’t work out.

Nominate and vote for representatives to stand for election to the Council’s Board of Advisors

Nominating and voting for the BoA doesn’t seem like a big benefit here when you consider that half of the companies on the original board elected in 2007 still serve on the board today. The term limit proposal never stuck. By the way, there is no transparency to the vote counts or appointments as final tallies are never posted.

Drive the Special Interest Groups (SIGs) that provide the Council with understanding and guidance on particular topics or technologies

The SIGs are a great idea on paper, but it’s tough to get right. This is a no-win situation for the Council. SIG meetings tend to be driven by 5-8 loud voices (mostly vendors) that make suggestions that align to their marketing material. The guidance document from the first Virtualization SIG is a perfect example of this.

More benefits in a linked PDF, but the only three not mentioned above are:

  • getting exclusive access to the PO Portal (how they deliver documents),
  • having your Logo/Company Name on the PO Website, and
  • the ability to display the PCI PO program logo on your website.

If you think that’s valuable, go for it.

How to increase the value?

two thumbs up, by Aidan Jones

Unlike my consulting days where I just pointed out problems and left (my nickname in certain places was The Pigeon), I do believe there are things that would make the program more valuable:

  • Unlimited awareness training. That alone would probably drive PO sales given that employee training is a requirement. If the PO could print off their training records right before a QSA arrives (or as a record for their SAQ), companies would keep that renewal going. This might be the single biggest adjustment the Council could make to increase the value of being a PO.
  • Free ISA/PCIP training. Maybe this one can’t be unlimited, but is there a better way for the Council to increase its influence than to increase certified individuals? Computer-based training courses cost very little to deliver, and increasing your army of certified payment professionals can’t be a bad thing, right?
  • More uncensored, vertically focused case studies that solve sticky problems. People want to know how real companies solved data protection in diverse environments, managed hostile 3rd parties, deployed technology that crosses sovereign network (and nation-state) borders, and met requirements in complex environments—and they want it directly from firms who solved these problems.

As I mentioned before, votes in this ecosystem are counted in dollars. If you like the program, vote with your dollars and hit renew.

This post originally appeared on

Possibly Related Posts: