Why was the Society formed?
Payment
security has evolved to the point to which it is necessary to address
as a unique field. Individuals that practice information security in
the payments field have specialized knowledge and skills. The SPSP
provides practitioners a place to congregate to share ideas and
experiences, and it provides them with opportunities to expand their
professional education and credentials.
What is the structure of the Society?
The
Society is overseen by the Advisory Board, which is comprised of Society members. The Advisory Board serves an oversight function to provide
transparency of processes associated with membership and
certification. There are both individual memberships as well as
organizational memberships. For more information, please see the
membership page.
What is a Payment Security Professional™?:
A
Payment Security Professional™ is a person that is a member of the
Society of Payment Security Professionals, works within the Payment
Card Industry, or in support of the Payment Card Industry and whose job
entails analysis or management of any of the following functions:
fraud, information security, data security, regulatory compliance, risk
management.
Is the Society affiliated with the PCI SSC?
While many members are employed in participating organizations and may
work with the PCI SSC, the Society is not affiliated with the PCI SSC.
What is the difference between the PCI SSC and the Society?
The
PCI SSC is a council focused upon management of the PCI DSS and
other industry standards and the training and management of Qualified
Security Assessors (QSA) and Approved Scanning Vendors (ASV). The
Society is focused upon providing a mechanism for networking, sharing
of information, education, and certification for Payment Security Professionals.™
Does the Society train QSAs?
No. QSAs can only be trained and authorized to perform assessments by the PCI SSC.
If I am a QSA can I join the Society?
Absolutely. Membership is open to any person or organization with an interest in payment card security.
Are the CPISM and CPISA Certifications the same as what QSAs receive?
No.
QSAs are trained by the PCI SSC and must pass an exam. Once approved
by the
council, the QSA is able to perform assessments against the PCI DSS.
Only organizations that have paid the fee and registered to work as
QSACs are authorized to attend QSA training. In short, to attend QSA
training a person must work for an information security firm and have
significant information security experience. The CPISM and CPISA are
industry level certifications focused upon a number of different
aspects of payment industry security and risk management. For specific
information on the exams, please see the Industry Certifications
section.
If I have a CPISM can I conduct my own PCI DSS assessment?
If an organization is a Level 1 Merchant, they may be allowed to
perform their own assessment without any additional training. All Level
1 Service Providers must engage a QSA. The CPISM and CPISA
Certifications are not intended to replace the QSA's role. Rather they
are intended to establish a baseline of information security knowledge
within the payments industry.
Where do membership dues go?
As the Society is sponsored and managed by The Aegenis Group, the
membership dues are paid to the company. The dues are used to cover
expenses such as hosting, maintenance, and licensing fees for software.
