CPE Policy

Objective

SISA’s certification schemes are designed for digital payment industry security professionals to safeguard the payment ecosystem through effective deployment of technology controls. These certifications are awarded to individuals who meet specific criteria and are valid for three years. To maintain the certification, this policy emphasizes the importance of Continuing Professional Education (CPE), ensuring that certified professionals stay current, competitive, and eligible for recertification through ongoing learning and skill enhancement.

Scope

This CPE and Recertification Policy applies solely to individuals who hold the CPISI certification issued by SISA. At present, professionals holding other SISA certifications are not subject to this policy and remain exempt until further notice.

Definitions

• CPISI: Certified Payment Industry Security Implementer a designation offered by SISA to professionals with demonstrated knowledge in PCI DSS implementation.
• CPE (Continuing Professional Education): Learning activities that help certification holders maintain competence and stay up to date with developments in the field of information security.
• CPE Credit Point: A unit of measurement equivalent to one hour of qualified professional development activity.
• Recertification Cycle: A fixed 3-year period in which CPISI professionals must meet the minimum CPE requirements.
• Certification Expiration Date: The date on which a CPISI certification will lapse unless recertification is achieved.
• Recertification Assessment: A formal evaluation or structured interview to verify continuing competency, applicable to randomly selected individuals during audit.

Continuing Professional Education:

Continuing Professional Education (CPE) refers to the ongoing learning activities that professionals engage in to maintain and enhance their knowledge, skills, and competencies in their field. It is especially important in dynamic industries like digital payment security, where technologies and threats evolve rapidly. CPE ensures that certified professionals remain current with industry standards, regulatory requirements, and best practices. By participating in CPE, individuals not only uphold the credibility of their certifications but also demonstrate a commitment to professional growth and excellence.

Recertification Cycle

The recertification process will comprise of 6 key elements as shown in the following “Recertification Cycle”.

CPE Requirements:

All individuals holding the CPISI certification are required to complete a minimum of 30 Continuing Professional Education (CPE) hours over a three-year certification cycle. To ensure consistent professional development, a minimum of 8 CPE hours must be earned in each year of the cycle. This requirement is intended to help certified professionals stay current with evolving technologies, industry standards, and best practices in digital payment security, thereby maintaining the relevance and integrity of their certification.

Eligible Activities:

The following list of activities serves as a guideline for CPISI-certified professionals seeking recertification. These activities are recognized as valid forms of Continuing Professional Education (CPE) and are intended to help candidates meet the required CPE credit hours. While this list is not exhaustive, it provides a reference framework to ensure that learning efforts are aligned with the objectives of maintaining professional competence and staying current with developments in the digital payment security domain.

#	Activities Description	CPE Credits	Maximum Credits allowed Per Year
1	Attending technology conferences or symposiums on Cloud Security, Risk Management, AI in Cybersecurity and allied infosec domains	2 credits per hour	10 credits per year
2	Publishing a peer-reviewed white paper or article on payment security	5 credits per article	10 credits per year
3	Delivering training or speaking at conferences on security and compliance related topics	2 credits per hour	6 credits per year
4	Taking relevant industry training related to Payment Security, Business Continuity, Resilience Building, Software Architecture, Audit Management, Risk Management, Securing AI etc.	1 credit per hour	10 credits per year
5	Active participation in PCI Council working groups or forums	3 credits per year	3 credits per year
6	Attending online webinars on IT/security topics	1 credit per webinar	5 credits per year

Documentation and Evidence:

Certified professionals are required to maintain accurate and verifiable records of all completed Continuing Professional Education (CPE) activities. Acceptable forms of documentation include, but are not limited to, certificates of attendance, event agendas, proof of participation, and official transcripts. These records must be retained for the duration of the certification cycle and may be subject to audit or verification by SISA as part of the recertification process.

Reporting and Submission:

To ensure proper tracking and validation of Continuing Professional Education (CPE) credits, certified professionals must submit details of their completed CPE activities to the certifying body. This submission can be made through SISA’s designated online portal or by completing the prescribed CPE submission form. Alternatively, professionals may email their documentation directly to recertification@sisainfosec.com for review. Submissions must include all relevant supporting documents, such as certificates of completion, event agendas, or proof of participation. It is the responsibility of the certified individual to ensure that all information is accurate, complete, and submitted within the required timeframe to be considered for recertification.

Audit and Verification:

All CPE evidence submitted by certification holders shall undergo an independent review conducted by the Certification Manager or a designated representative. This review process is designed to ensure the authenticity, accuracy, and relevance of the submitted activities. As part of the verification mechanism, SISA reserves the right to conduct random or scheduled audits of CPE submissions. These audits may include requests for additional documentation or clarification to validate compliance with the CPE requirements outlined in this policy.

Recertification:

Upon successful review of the submitted CPE evidence, if all required parameters and criteria are met, the Certification Manager or designated reviewer shall recommend the renewal or extension of the certification’s validity. This recommendation will be forwarded to the respective Business Unit Head for final approval. Recertification will be subject to the candidate completing the applicable recertification fee payment. Once approved and payment is confirmed, the list of professionals whose certifications have been renewed or extended shall be documented and presented during the Monthly Management Review Meetings for organizational visibility and governance oversight.

Revocation of Certification Credential:

The CPISI certification may be subject to revocation under specific conditions, including failure to fulfil the Continuing Professional Education (CPE) requirements within the designated three-year cycle, submission of falsified or misleading CPE records, non-payment of applicable recertification fees, or involvement in ethical misconduct as determined by SISA. In the event of revocation, the individual will lose their certified status and must reapply and successfully complete the full CPISI certification process, including all assessments and requirements, to regain certification.

Reconsideration and Appeal:

Certified professionals whose CPISI recertification is denied or whose certification has been revoked have the right to appeal the decision. Appeals must be formally submitted to SISA within 30 calendar days from the date of notification of the decision. The appeal must include a detailed written statement outlining the grounds for the appeal, along with all relevant supporting documentation or evidence. Appeals submitted after the deadline or without adequate justification may not be considered. All appeals will be reviewed by the designated Appeals Committee, and SISA’s final decision on the matter shall be binding and not subject to further review.