Those of you that attended HoustonSecCon or #BSidesDFW, you saw my presentation entitled “The Mistakes QSAs Make.” After presenting, I thought the overall message needed to get to a wider audience and not just the slides I present. I set upon this endeavor and came up with the following series entitled, the Seven Deadly Sins of a QSA. I’m going to be posting this over the next couple of months (and a single PDF in its entirety when I finish) for you guys out in the tubes.

Here is a brief intro to get things going!

Soft Landing, by moonjazz

People make mistakes—and in a people business like consulting, you can expect to see more than a few of them.

This series explores seven common mistakes Qualified Security Assessors (QSAs) make. I am speaking from a position of authority because I have made a few of these mistakes during my seven years helping companies comply with PCI DSS (and CISP/SDP before that). At the peak of the PCI remediation boom, I managed a team of over eighty QSAs who made many of these very mistakes. Mea culpa sessions are never fun, but the good news is as long as you walk into the meeting with an open mind and a calm temper, you are guaranteed to learn something.

Not all problems are caused by QSAs. Merchants and service providers are just as guilty of making mistakes. You can find any number of articles beating up merchants or service providers for numerous reasons, but the goal of this series is to illustrate seven common mistakes that QSAs make, and what to do if you spot your QSA making one of them.

Readers of this series will learn to spot some of the most common mistakes, their impact on your organization, how to deal with them if they come up, and how to avoid them all together.

Check back later this week for the next part which explores the first mistake QSAs make, Making Up Requirements!

This post originally appeared on