sign in sign up
<<
Home , Training

Examples of Activities That Qualify for Continuing (CE) Hours

PCI SSC Activities These activities include PCI conferences presented by the SSC such as the annual Community Meeting, the Re-qualification Training course, webinars presented by the PCI SSC, Special Interest Group (SIG) involvement and similar activities such as providing feedback when requested by the PCI SSC during an Open Feedback period of time. An individual can earn continuing professional education hours according to the number of hours of active participation. The individual is responsible for retaining evidence of their attendance and participation and should not rely on the PCI SSC to retain this information on behalf of the assessor. There is no annual CE limit for participation in PCI SSC activities.

Other Qualified Training Activities There are many activities that may be chosen to meet the CE credit requirement. An individual may attend industry conferences and chapter meetings, ISA Sponsor Company training, university courses, seminars, workshops, and other forms of relevant meetings. Receiving additional professional certifications such as the CISSP, CISA and CISM may be also qualify with a maximum of 10 CE credit per certificate. The individual may also subscribe to information security periodicals, read a book (maximum of 5 CE credits annually) and other forms of self- to receive CE credit. The intent is to demonstrate continued active exploration of new threats and vulnerabilities and the technology and methodology to mitigate such risks. Unless otherwise stated, there is no annual CE limit for participation in these activities.

For on-site training, each hour of in-class lecture may account for one CE credit. However, CE credits must always be rounded down. For example, a training class that is scheduled from 8:00am – 5:00pm would most likely account for 9 hours or 7 CE credits as there is an assumed one-lunch and a couple of 15-minute breaks.

Class Scheduled 8:00am – 5:00pm

Activity Begins Ends CE hours Training 8:00am 10:00am 2 Break 10:00am 10:15am 0 Training 10:15am 12:15pm 2 Lunch 12:15pm 1:15pm 0 Training 1:15pm 3:15pm 2 Break 3:15pm 3:30pm 0 Training 3:30pm 5:00pm 1.5 ======Total 8:00am 5:00pm 7.5 Rounded down for reporting to the PCI SSC 7

Note: An individual may receive CE credit for technology-specific educational activities (e.g. an operating systems class, software development seminar, etc) so they are better prepared to perform a security assessment. A maximum of 15 CE credits for non- security related training may be submitted.

Qualified Teaching Activities The PCI SSC recognizes the effort to create a presentation or author an article and the amount of research often required. An ISA may accumulate a maximum of 20 CE credits annually for teaching activitites. Note: All presentations should be related to protecting cardholder information and not include sales or marketing presentations on behalf of your company. For example, a presentation to industry peers on effective firewall configurations would qualify for CE credit but a presentation on how your company’s product meets PCI requirements would not qualify.

Lecturing and other presentations: An individual can receive credit as an instructor or guest speaker for the development and the delivery of a presentation relevant to safeguarding sensitive information. An ISA can not receive additional CE credit for the same lecture after the material has been presented to three different audiences unless the content has been significantly modified. CE credit can be earned at the rate of 2 hours of preparation for every 1 hour of delivery.

Presentation Length of Presentation Hours of Preparation CE Credit Lecture 1 – 2 hours 2 hours 4 1st Audience Lecture 1 – 2 hours 0 hours 2 2nd Audience Lecture 1 – 2 hours 0 hours 2 3rd Audience Lecture 1 – 2 hours 0 hours 0 4th Audience Lecture 2 – 1 hour 3 hours (max 2 credited 3 1st Audience hours) ======Total 11 To reiterate: All presentations should be related to protecting cardholder information and not include sales or marketing presentations on behalf of your company. For example, a presentation to industry peers on effective firewall configurations would qualify for CE credit but a presentation on how your company’s product meets PCI requirements would not qualify.

Publication of articles and other literature: Authoring an article for a formal publication, website or other medium that is relevant to information security systems and practices is permissible. The publication or website must be recognized as media commonly read by industry peers. CE hours will be credited for the hours required to research (up to a maximum of 5 hours) and up to 1 CE credit for every page of content. For example, a 7-page document with 5 pages of content and more than 5 hours of research may account for 10 CE credits.

Writing Activity Actual Relevant Content CE Credit To Report Pages 7 5 5 Hours 8 5 5 Total 10

Note: Any published misinformation related to the PCI DSS or supporting programs will be disqualified from earning CE credit and may lead to termination of the ISA certification.