Sin #5 – The FNG

The Flipping New Guy (FNG) causes havoc wherever he goes. He also goes by the Pimply-Faced Youth (PFY) in some circles, and is often labeled as having the talent to tame a lion, but the experience to raise a hamster. He’s the guy that just went to new QSA training, passed his test, and showed up to do some good, old-fashioned assessing!

Three Days of Ground School

One summer, well after I became a QSA, I earned my private pilot certificate. If you ask my wife, she will tell you she remembers me babbling all of these fantastic ((My word, not hers.)) bits of knowledge that I was learning every day, and passing the time in the evening with at least one book in my lap instead of talking to her. I worked hard to earn my certificate, and learn something new almost every time I fly.


Let’s say that you decide you want to become a pilot. You sign up for a crash course (pardon the phrase) in flying which includes three days of intense ground school training. Now imagine that at the end of those three days, your instructor throws a set of keys at you and says, “Nice work today! Here are the keys to a Cessna 172. It’s full of gas, and the runway is over there. Have fun!”


Almost as terrifying as a new QSA running his first PCI assessment.

My experience as a QSA is similar to that example in many ways. I took two days of training and passed a test to prove I had retained the information ((Or could quickly look it up during the open book test.)). Just like a student taking a plane up solo for the first time, my first real PCI assessment was frightening.

The only thing on my side during that assessment (other than my training) was the baseline of security and technology knowledge I earned before I started working with PCI DSS. I was an expert at *NIX operating systems, web-application development and databases, and had a good working knowledge electronic payment processing. But that didn’t qualify me to review z/OS systems for compliance with PCI DSS! It took time to earn the knowledge that I rely on now when I am asked complex PCI DSS questions.

Newly minted QSAs rarely have the base of knowledge required to correctly perform a PCI Assessment on their own.

Identifying the FNG

The consulting business is full of slick salesmen. Were you promised an experienced QSA during the sales cycle? How do you know if they sent a newbie that is good at taking tests?

Before you sign the papers on that contract, you should be interviewing the lead QSA that will be responsible for your assessment. Do your research and ask him hard questions. You will be spending some time with this individual over the next several weeks, so you should invest some time to choose a suitable one. Next ask what their team will look like. Some companies will send one lead QSA with a few non-QSAs perform these assessments. You can imagine the issues that will cause down the road.

The Council provides you with a way to see if the consultants are current ((Verify Your QSA Here.)). New QSAs will have anywhere from nine to eleven months left on their certification. You won’t be able to tell if they have been certified more than once, but you can certainly ask the question of the QSA when she arrives. When it comes to PCI, “Trust, but Verify” should be the guiding principal on both sides of the assessment process.

If you didn’t get to do this during the buying process, there are other clues you can use to see if you are dealing with a newbie. Not only will they make many of the mistakes I’ve identified (and frequently), but they will struggle to get through their part of the assessment. Look for someone with a printed out copy of the standard furiously flipping pages during interviews. No paper? Look for someone staring maniacally at their laptop doing a lot of scrolling. Most experienced QSAs can spout off requirement numbers from memory or have a predictable style they use during the interview process and only use paper or digital material as a reference.





This post originally appeared on

Possibly Related Posts: