If you’re asking yourself if you should start a career in cybersecurity audit and compliance, you’re reading the right article. It seems like there’s news about large company data breaches, cyber scams and cybercrimes every single week. With these issues, a career in compliance and IT security is becoming an increasingly lucrative career path. In this article, I will discuss why you should consider a career in cybersecurity audit and compliance.
There are various laws and standards that govern different aspects of cybersecurity audit and compliance. The focus of this article is the Payment Card Industry standard (PCI DSS). Other articles will address other standards.
The average salary of a PCI Security consultant in the US is OVER $100,000. So, this is definitely an article that you want to read.
As the number of payments made online increases, so do the number of data breaches. Essentially, hackers target the various systems used to store, process, or transmit payment card information because that information is valuable in the cybercrime market. Companies need to combat this by having adequate cybersecurity controls in place. This means that there is a huge demand for professionals who can help businesses ensure that their customers’ data and payment information is secure.
In this blog, I will cover the following topics
- What is PCI DSS?
- What are the PCI DSS Requirements?
- Available PCI Training and Certifications
- How to prepare for the PCI Certification Exams
- How to transition to a career in PCI DSS?
Let’s start off by discussing what PCI DSS is.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. This is a set of requirements that has been put in place by the PCI council. The requirements are a set of rules (controls) that companies seeking PCI compliance status should abide by if they store, process or transmit card data. PCI DSS is considered the gold standard when it comes to card security compliance and companies can use their PCI compliance status to improve their overall sales revenue.
What are the PCI DSS Requirements?
There are 12 PCI requirements grouped into 6 categories. The categories and requirements are shown in the table from the PCI Security Council below. The text format is also available for easy review. As noted above, companies seeking PCI compliance status need to adhere to these requirements and their adherence is testing during a PCI assessment.
- Build and Maintain a Secure Network and Systems
- 1. Install and Maintain Network Security Controls.
- 2. Apply Secure Configurations to All System Components.
- Protect Account Data
- 3. Protect Stored Account Data.
- 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
- Maintain a Vulnerability Management Program
- 5. Protect All Systems and Networks from Malicious Software.
- 6. Develop and Maintain Secure Systems and Software.
- Implement Strong Access Control Measures
- 7. Restrict Access to System Components and Cardholder Data by Business Need to Know.
- 8. Identify Users and Authenticate Access to System Components.
- 9. Restrict Physical Access to Cardholder Data.
- Regularly Monitor and Test Networks
- 10. Log and Monitor All Access to System Components and Cardholder Data.
- 11. Test Security of Systems and Networks Regularly.
- Maintain an Information Security Policy
- 12. Support Information Security with Organizational Policies and Programs.
What are the available training and certifications for PCI?
PCI has quite a number of training and certifications available to students. It is important to note that most of the certifications require a company to sponsor you before you can even schedule the exam. So, you will need to review each certification requirement and see if you have the necessary qualifications.
Below are the available PCI training and certifications and what they cover at the time this article is being published. This was obtained from the PCI website, and you can check their site for the current list at any time.
- 3DS: Provides training on how to perform assessments of 3DS Environments in accordance with the PCI 3DS Core Security Standard
- Acquirer: Provides training on how to acquire specific tools to help your clients with their PCI DSS compliance
- Awareness: Provides training on how to understand how PCI Standards can help protect cardholder data
- ASV: Provides training on how to validate adherence to the external scanning requirement of the PCI DSS
- CPSA: Provides training on how to perform assessments in accordance with the PCI Card Production and Provisioning Standards.
- ISA: Provides training on how to perform internal assessments for PCI compliance
- PA-QSA: Provides training on how to perform PA-DSS assessments and associated testing
- PCIP: Provides training on how to apply the PCI Standards to your organization and earn a renewable PCI credential
- P2PE: Provided training on how to get a solid foundation to assess point-to-point encryption compliance
- QIR: Provides training on how to securely install, configure and maintain validated PA-DSS payment applications
- QPA: Provides training on how to perform assessments of entities in accordance with the PCI PIN Requirements
- QSA: Provides training on how to perform PCI-DSS assessments of merchants and service providers
- Secure SLC: Provides training on how to perform assessments of entities in accordance with the Secure Software Lifecycle Requirements and Assessment Procedures
- Secure Software: Provides training on how to perform assessments of payment software in accordance with the Secure Software Requirements and Assessment Procedures
- Working from Home: Security Awareness: Provides training that outlines many of the threats and challenges of handling and securing payment account data within home offices and remote working environments.
How to successfully prepare for your PCI DSS certification exam.
When it comes to preparing for certification exams, you have to follow certain steps to ensure that you are successful. I have 8 IT certifications (including the PCI ISA certification) and I passed all the exams the FIRST time!
Check out this article where I discuss how to pass your certification exams the first time. The article includes a free download of a certification exam guide. If you’re looking to get any certification, this is a must have guide to ensure that you don’t have to repeat the exams over and over again.
Now, that we’ve covered the basics of PCI, let’s discuss how you can start a career in the field.
How to start a career as a PCI Security professional
In this article, I talk about the 7 steps to launch your career in Tech. One of the stages involves identifying the career path that you want to pursue. Once you have decided to start a career as a PCI Security Audit and Compliance Professional, the next step is to obtain the required training and skills. You need to look for a program that offers practical training which gives you the skills necessary to successfully perform on the job. You can study the PCI DSS Requirements yourself but make sure you find a way to understand and practice the testing activities. This will enable you to show future employers that you have the actual assessment skills.
There you have it. I hope you enjoyed this article about starting a career in IT/Cybersecurity Audit and Compliance with PCI DSS. If you’re wondering what your next steps should be, I suggest reviewing more about PCI from their official website.
You can also check out these other related posts.