Information Security Jobs: PCI Security Standard Council

By Peter H. Gregory

The PCI Security Standard Council is required knowledge for anyone in the information security field. Organizations that store, process, or transmit credit card data are subject to one or more standards meant to ensure the protection of credit card data. PCI (Payment Card Industry) Security Standards Council, a non‐profit organization formed by the major credit card brands (VISA, MasterCard, American Express, Discover, and JCB), manages these standards and certifications.


The Payment Card Industry Data Security Standard (PCIDSS) is an industry standard established and maintained by the PCI Security Standards Council. Usually known as PCI‐DSS or just PCI, this standard requires organizations that store, process, or transmit credit card data to comply with all applicable requirements in the standard. The following organizations are required to comply:

  • Card issuers such as banks and credit unions

  • Payment processors and gateways

  • Merchants

  • Any service provider that handles cardholder data

PCI is primarily enforced through the major credit card brands. Any organization that is unable or unwilling to comply with PCI can be fined by one or more of the card brands, and even be cut off from being able to issue or process cardholder data.

Organizations that process a smaller number of credit cards per year are permitted to self‐certify to the PCI‐DSS. Larger organizations are required to undergo an annual on‐site audit by an organization certified to conduct these audits.

All organizations that process any number of credit card records are required to undergo a quarterly security scan of its external assets, performed by an organization certified to perform these scans.


The Payment Application Data Security Standard (PADSS) is an industry standard for the certification of commercial payment applications that process credit card transactions. The PA‐DSS is especially useful for merchants and other organizations seeking software applications; by selecting a PA‐DSS–certified application, they can reduce the scope of audits and compliance efforts.

Qualified Security Assessor (QSA)

Qualified Security Assessor (QSA) is a certification affixed to an organization that performs PCI audits. All individual employed in a QSA‐certified organization that will be performing PCI audits are also required to undergo annual training and examination for QSA certification.

Internal Security Assessor (ISA)

Internal Security Assessor (ISA) is a certification earned by a security or audit professional as an employee of an ISA sponsor company. An ISA sponsor company is a merchant or service provider that will agree to sponsor one or more of its employees for PCI training. By having an employee ISA certified, the organization can better understand what they must do to maintain PCI compliance.

Individual QSA and ISA certifications are granted to security professionals with their present employers. If the QSA or ISA professionals leave their employer, they lose QSA or ISA certification and must become recertified by their next employer.

Approved Scanning Vendor (ASV)

An Approved Scanning Vendor (ASV) is a company that has been certified by the PCI Security Standards Council to perform the quarterly security scans that all merchants and service providers are required to undergo.

PCI Forensic Investigator (PFI)

A PCI Forensic Investigator (PFI) is a company that has been certified by the PCI Security Standards Council to perform forensic investigations on organizations that have suffered a security breach of its cardholder data.