While I imagine there is a very deep pool of talented, passionate and highly qualified professionals and firms, without question there is a need for very robust, multi-level PCI certification (and re-certification) programs for vendors – and employees.
If you’re a retailer contemplating hiring outside resources to help with PCI compliance, the job of finding qualified help is not as easy as you might hope.
Currently, virtually anyone can declare themselves a PCI guru and sell that “expertise” to a retailer. Since the PCI police force is limited in its ability to monitor claims, and most retailers or “buyers” of PCI services don’t have the resources, bandwidth, or experience (including myself) to effectively evaluate those claims, the industry owes it to the entire payment eco-system to help “buyers” separate the “posers” from the “players”.
There is no realistic way for retailers, except perhaps a small handful of the very largest, to effectively evaluate the expertise or qualifications of any person or vendor to assist with PCI or payment data security.
For most retailers, the only source of any independent verification or “accreditation” is PCI’s published list of Approved Companies & Providers and Visa’s published list of Approved Companies & Providers Global Registry of Service Providers. While helpful, retailer leadership needs more in this area. This includes certification programs for internal staff, as well as third-party vendors.