The PCI Security Standards Council recently announced their Internal Security Assessor program (ISA)1 and it seems like the response is overall positive.  I have spoken to a few QSAs that are afraid this may contribute to a decline in the business as there is dissension in the ranks of those being assessed2.

You talking to me?, by Ped-X-Ing

ISAs are GOOD for QSAs, and as a QSA you should prefer to assess companies that have installed them in their teams.

I was speaking to a colleague late last year at a PCI gathering and he mentioned that his last internal PCI assessment consumed over 3,000 hours.

Three thousand hours, folks.

This was not a giant company either (Level 1 merchant).  Using standard consulting rates, you are looking at a price tag of anywhere from USD$650K-$750K.  I’ve seen assessments get that big, but they are usually global in nature with many business lines and some degree of autonomy outside the central IT organization.  I would have probably scoped the same assessment at around 400-500 hours.

This organization will send several people to become ISAs, and will probably continue to do their own assessments, but they will not be the norm.  I believe companies will invest in their employees to add one or two ISAs to their staff, and use that as a checkpoint to 1) keep their QSA honest, 2) truly understand what needs to be done to comply, and 3) push their QSA to do a thorough job (this is not happening today).  This is GOOD for QSAs, and we should embrace it!

Companies hire CPAs and attorneys, but they still use accounting and law firms for expertise when they need it.  Sure, some tasks will be taken off the table, but the ones that remain (or are added) will be considered strategic and be significant for the company providing services on the opportunities.

This post originally appeared on

  1. Side note… everyone seems to dog pile on the Standard when people reference it as a SECURITY standard, but nobody dog piles on the Council for using security in the assessor acronyms? []
  2. Quality in QSAs is a current problem being addressed by the Q/A program. []