Skip to main content
Image coming soon

The Payments InfoSec Manager's PCI and Issuer Audit Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Payments InfoSec Manager's PCI and Issuer Audit Playbook

How a payments-processor security manager runs the year so PCI DSS 4.0, sponsor bank reviews, and acquirer assessments land without rework.

PCI DSS 4.0 went fully mandatory at the end of March and the questions the sponsor bank, the QSA, and the merchant portfolio now ask are not the questions the team was set up to answer.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

An Information Security manager at a payments processor sits at the intersection of four pressures that do not fit on one dashboard. The QSA opens with the new 4.0 evidence requirements: payment-page script monitoring under 6.4.3, change-and-tamper detection under 11.6.1, targeted risk analyses for every periodic activity, customised approach justifications where the team chose not to use the defined approach. The sponsor bank's annual security questionnaire pulls in supply-chain, BCP, and incident-response evidence that lives in three different team's tickets. The merchant portfolio team is moving thousands of small merchants onto SAQ A or SAQ A-EP and someone has to say which is correct given the redirect topology each merchant deployed. And inside the card data environment, the HSM key custodian rotation, the cryptoperiod tracking, the AES key block enforcement deadline, and the ROC scope diagram have to agree to the same boundary. None of those four streams maps cleanly to a NIST CSF function or a SOC 2 trust service criterion. The manager who can pull them onto one calendar, one evidence library, and one risk register is the one who gets the program through Q4 without an interim report.

What you walk away with

  • Run the PCI DSS 4.0 evidence cycle for the in-scope CDE on a single calendar that the QSA, the sponsor bank, and the internal audit function all reference.
  • Stand up the 6.4.3 and 11.6.1 payment-page script monitoring evidence pack so the next sponsor bank questionnaire is answered from a library, not a fire drill.
  • Govern the merchant portfolio SAQ population across SAQ A, SAQ A-EP, SAQ D-Merchant, and SAQ D-Service Provider without the acquirer side discovering misclassified merchants mid-breach.
  • Document the HSM key custodian ceremony, AES key block enforcement, and cryptoperiod tracking so the ROC scope diagram, the customised approach justifications, and the targeted risk analyses agree.
  • Brief the CISO and the audit committee in the language of customer trust, sponsor bank confidence, and assessor predictability, not in the language of control IDs.

The 12 modules

Module 1. The payments InfoSec manager's operating picture
Lay out the four pressure streams (QSA, sponsor bank, merchant portfolio, internal CDE) on one operating picture. Identify which artefacts each stream actually consumes, which controls overlap, and where the gaps between teams currently leak rework. Build the role-level RACI that says who owns the customised approach, who owns the targeted risk analyses, who owns the merchant SAQ classification, and who owns the HSM ceremony, so the rest of the year stops being an escalation queue.
Module 2. PCI DSS 4.0 6.4.3 and 11.6.1 payment-page script evidence pack
Build the inventory, integrity-monitoring, and change-control evidence for every script on every page that touches cardholder data, including iframe and third-party tag scenarios. Cover the customised approach for processors who chose a CSP-plus-integrity-hash route over a vendor product, the targeted risk analysis that supports detection frequency, and the daily evidence the QSA will sample. Output is a download-ready evidence library mapped to 6.4.3 and 11.6.1 sub-requirements.
Module 3. Customised approach and targeted risk analyses as living artefacts
PCI 4.0 lets a processor design a customised approach for any defined-approach control, but only if the analytical artefacts hold up. Walk through the customised approach worksheet, the targeted risk analysis template the AT&T-era Council guidance actually accepts, and the documented assurance evidence that has to accompany each. Cover which controls are worth customising (key management cryptoperiods, log review frequency, vulnerability scan cadence) and which are not.
Module 4. Merchant portfolio SAQ governance for acquirers and ISOs
When a processor's downstream merchant book runs into the thousands or tens of thousands, the SAQ classification call (A, A-EP, B, B-IP, C, C-VT, D-Merchant) is a portfolio-level program, not a per-merchant decision. Build the redirect-topology decision tree, the SAQ-A versus SAQ-A-EP boundary that the 4.0 e-protect language tightened, the questionnaire collection workflow, the AOC tracking spreadsheet structure, and the escalation path when a Level 4 merchant turns out to look like a Level 2.
Module 5. Card data environment scope, segmentation testing, and the ROC diagram
The single artefact the QSA spends the most time on is the CDE scope diagram. Walk through annual scope confirmation, segmentation penetration test scoping for 11.4.5 and 11.4.6, the in-scope versus connected-to versus security-impacting boundary, and how to defend a tokenisation-based scope reduction without conflating P2PE assumptions. Output is a ROC-ready scope narrative and diagram pack.
Module 6. HSM key ceremonies, AES key block deadlines, and cryptoperiod tracking
The card brand AES key block enforcement deadlines and the PCI 3.7 key management requirements demand documented ceremonies that auditors can re-walk. Cover dual control and split knowledge ceremonies, key custodian agreements, cryptoperiod definition (with the targeted risk analysis that justifies the period chosen), key block migration plans for legacy TDEA infrastructure, and the ceremony recording format that survives a Coalfire walkthrough.
Module 7. Sponsor bank security questionnaire and acquirer attestation playbook
Sponsor banks (the Wells, the BMO, the Fifth Third class of relationships) issue annual security questionnaires that go well beyond PCI: supply chain, BCP, incident response, regulatory examination history, and SOC 2 attestation cross-references. Build the answer library, the evidence pointer system, the cross-walk from PCI controls to the questionnaire's bank-internal control framework, and the response calendar that protects acquirer status.
Module 8. Vulnerability management, penetration testing, and ASV evidence under 4.0
The 11.3 internal vulnerability scan, the 11.3.1 external ASV scan, the 11.4 penetration testing program, and the 6.3 vulnerability prioritisation now have to interlock. Cover ASV vendor selection and re-test workflow, the segmentation pen test versus application pen test scoping line, the authenticated internal scan that 11.3.1.2 added, and the targeted risk analysis that supports any deviation from the defined cadence.
Module 9. Incident response, forensic investigator readiness, and PFI engagement
When a payments processor takes a card-brand security event call, the next call is to a PFI. Build the IR runbook that aligns to PCI 12.10, the evidence preservation steps that a PFI investigation actually consumes, the card brand notification timing, the sponsor bank notification timing, and the customer-communication holding statements. Cover the tabletop cadence and the post-incident lessons-learned format the auditor will sample.
Module 10. Vendor and service-provider PCI evidence chain
Every third-party that touches the CDE (cloud HSM, fraud scoring vendor, BPO call centre, managed SOC, tokenisation provider) has to land on the 12.8 list with AOCs, responsibility matrices, and risk-rated tiers. Build the AOC tracker, the responsibility matrix template that fixes the perennial "who does what" gap, the annual due-diligence cycle, and the contractual flow-down that protects the processor when a service provider's AOC lapses.
Module 11. Briefing the CISO, the audit committee, and the sponsor bank in three different vocabularies
Same underlying program, three different readouts. The CISO wants risk language and resourcing asks. The audit committee wants residual-risk movement and assurance coverage. The sponsor bank wants control evidence and compensating-control logic. Build the three-deck pattern, the heatmap that maps to each audience, the monthly steering format, and the language conversion table that stops the same finding from being told three different ways.
Module 12. Integrating PCI with SOC 2, GLBA Safeguards, and the issuer-side examinations
A US-listed payments processor lives inside more than PCI. The SOC 2 type 2, the GLBA Safeguards Rule program, the state insurance equivalents in some lines, the issuer-side examinations the sponsor bank inherits, and increasingly the NYDFS Part 500 conversation if the entity touches a New York-regulated issuer all share controls. Build the unified control inventory, the once-and-reuse evidence pattern, and the assessment calendar that prevents the same control from being tested three times in three formats.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 2 and 3 land directly on the PCI 4.0 control changes that went fully mandatory recently and are the most common QSA opening question this cycle.
Modules 4 and 10 address the portfolio-and-vendor sprawl that an acquirer or processor scale brings, which is what differentiates this role from a corporate-IT InfoSec manager.
Modules 5, 6, and 8 are the in-CDE technical evidence chain (scope, key management, vulnerability), where rework is most expensive when the QSA opens an interim finding.
Modules 7, 11, and 12 are the upstream stakeholder layer (sponsor bank, CISO, audit committee, parallel attestations) where the InfoSec manager's narrative either lands or doesn't.

What you get with this course

  • Twelve written modules in the Art of Service learning environment, each with its own download pack of templates and worked examples.
  • The 6.4.3 / 11.6.1 payment-page script evidence library template, ready to populate against the recipient's actual page inventory.
  • Customised approach worksheet and targeted risk analysis templates for the four highest-yield controls in a payments-processor environment.
  • Merchant-portfolio SAQ decision tree and AOC tracker, sized for an acquirer or large ISO book.
  • ROC-ready CDE scope narrative and diagram template, with the tokenisation and P2PE scope-reduction language that survives QSA review.
  • Sponsor bank questionnaire answer library structure, with the PCI-to-bank-control crosswalk pattern.
  • The hand-built implementation playbook tailored to the recipient's specific acquirer / issuer / processor mix, written after enrolment and delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Weeks one and two: modules one through four (operating picture, script monitoring evidence, customised approach, merchant portfolio SAQ governance).

Weeks three and four: modules five through eight (CDE scope, HSM and cryptoperiods, sponsor bank questionnaire, vulnerability and penetration testing).

Weeks five and six: modules nine through twelve (incident response and PFI, vendor evidence chain, briefing patterns, parallel attestations).

Ongoing access for at least twelve months for re-reads as the next assessment cycle approaches.

Before and after

Before

PCI 4.0 evidence is being patched together each quarter from tickets, screenshots, and the QSA's prior-year working papers. The sponsor bank questionnaire is answered from scratch every year. The merchant portfolio SAQ classifications are managed in a spreadsheet that the acquirer side has not seen since onboarding. Three different teams own the HSM ceremony, the script monitoring, and the merchant program, and nobody owns the gap between them.

After

One operating calendar carries the PCI 4.0 evidence cycle, the sponsor bank questionnaire, the merchant SAQ governance, and the CDE technical attestations. The customised approach justifications and the targeted risk analyses live as versioned artefacts the QSA can re-walk in five minutes. The CISO briefing, the audit committee briefing, and the sponsor bank briefing draw from the same evidence library in three different vocabularies. The QSA's interim report has no surprises and the year closes on schedule.

What happens if you do not address this

The recent PCI 4.0 mandatory date means the next ROC cycle is the first where the customised approach justifications and targeted risk analyses are not optional. A processor whose 6.4.3 script monitoring evidence is thin, whose merchant SAQ governance has stale classifications, or whose HSM ceremony documentation does not match the cryptoperiods in the targeted risk analysis is the processor whose ROC opens with an interim report. An interim report at a payments processor is not a private document. The sponsor bank sees it, the card brands see it, and the next acquirer onboarding conversation has to be re-opened.

Who it is for

An Information Security manager (not director, not analyst) inside a US-listed payments processor, acquirer, or large ISO. Has a QSA relationship and a sponsor bank relationship. Owns the CDE day to day, briefs the CISO weekly, signs off the merchant SAQ governance, and is in the room when the ROC scope is being negotiated. Has three to ten direct reports across security operations, GRC, and the payments-specific compliance function. Is the person who actually writes the customised approach justifications and the targeted risk analyses, not the person who reviews them.

Who this is NOT for. Not for the CISO who delegates PCI entirely. Not for the QSA-in-training looking for assessor methodology. Not for the merchant-side security lead whose company files an SAQ once a year and never touches a sponsor bank conversation. Not for a fintech that has outsourced its entire CDE to a level 1 service provider and only consumes the AOC.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook tailored to the recipient's acquirer / issuer / processor mix delivered alongside course access.

Time investment. Roughly six to eight hours across the twelve modules for a first read, with each module's template pack adding two to four hours of applied work against the recipient's own environment. The implementation playbook is meant to be worked through with the team across one assessment cycle.

Why $199 is the right number

A QSA engagement bills against the assessment, not against teaching the team how to run the year. A SANS or ISACA generalist GRC course teaches PCI as one framework among many. A free vendor-sponsored webinar from a script-monitoring vendor sells the tool, not the program. This course is the per-recipient implementation reference for the InfoSec manager who already has the QSA, already has the sponsor bank, and needs the operating layer in between to be theirs and not the QSA's.

FAQ

Is this a substitute for a QSA?
No. The QSA still issues the ROC. This course makes the InfoSec manager the person whose evidence library, customised approach justifications, and targeted risk analyses the QSA samples from, instead of the person whose evidence library the QSA has to help assemble each year.
Does the implementation playbook actually get tailored to my environment?
Yes. The playbook is hand-built after enrolment against the recipient's specific acquirer relationship, sponsor bank, merchant portfolio shape, and CDE topology. That is what the 199 USD includes.
Will this help if my organisation is a Level 1 service provider, not a Level 1 merchant?
Yes. The merchant portfolio module is for processors and acquirers whose downstream book is merchant-side; the rest of the modules cover the Level 1 service provider AOC, the sponsor bank questionnaire, and the issuer-side examinations that a processor lives inside.
Does this cover the AES key block enforcement and the customised approach worksheet specifically?
Yes. Module six covers the AES key block migration and ceremony evidence end to end, and module three is the customised approach worksheet and targeted risk analysis pattern as living artefacts, not a one-time checkbox.
How is delivery handled?
Written course pages in the Art of Service learning environment, downloadable templates and worked examples for every module, plus the per-buyer implementation playbook delivered alongside course access.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!