Mis-hearing the Trainer

QSAs must be pass evaluation from the Council every year in addition to earning at least forty CPEs in order to maintain their QSA designation. Prior to 2010, this meant finding a QSA Requal class near you and having your primary contact book your attendance in said class ((You can now do your requalification online.)). Trainers come and go as we have seen over the years, and I sat through a session with a good number of my team lead by a new trainer a few years ago.

/lalala, by striatic

One of the most important steps a QSA must get right is choosing the correct scope for the assessment. Getting that step wrong sets the whole assessment and the PCI experience up for failure. This topic tends to be one of the first things that trainers review during their sessions. The theme for that particular year was the introduction of tools that can help a QSA perform assessments.

A data discovery tool that can help someone validate scope can search files for regulated data—in this case, cardholder data. The trainer showed us a free tool called Spider from Cornell lauded as a fantastic asset for any QSA performing an assessment. While learning about how useful this tool could be during an assessment, one of the QSAs on my team took this demo to mean that these types of tools are REQUIRED to comply with PCI DSS. After attending this training he went to a client site and told a customer that in order to pass their assessment this year, they had to install some kind of Data Loss Prevention (DLP) technology, which may include something like Spider. There was no requirement to use DLP in PCI DSS, yet a trained and certified QSA just told a customer they needed this in order to pass!

Assessing against PCI DSS is a learned art that you can only refine by doing many assessments. Two days of class time and a test won’t get you that knowledge—a problem we will touch on later. The finesse of a good assessor will far outweigh the technical knowledge of a newbie.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: