While I was at the community meeting, I chatted with several individuals that had feedback on the conference, and here are a few nuggets distilled from over an hour of audio recordings:
-
Council is getting better at understanding how reports are generated, but there still seems to be an inability to tie any given report back to the environment assessed. For example, was it scoped correctly? Were the controls assessed per the intent of the standard? Was the appropriate risk-based approach taken?
- CBT Requalification is convenient, but lacks the flowing Q/A that you might see in an interactive training course. May consider trading an in-person training (or interactive training) every so often as opposed to all CBT.
- Large variance among QSAs is still seen as a problem. It seems like every assessor I spoke with said something along the lines of, “Every single customer of mine that had a different QSA in the previous year is struggling with my findings because I found more than one item the previous QSA found.”
- Where are the ASV-specific breakouts? Seems like there is not enough overlap between QSA and ASV sessions, and there is benefit to having separate sessions. (As a side note, I seem to remember separate sessions in years past.)
- There may be some interesting new QSA/ASV disagreement issues depending on how a company scans, especially with respect to continuous scanning.
- “The value proposition of being good at assessing is hard to sell in this industry.” If the QSA is graded the same during the QA process, the merchant ends up with the same piece of paper at the end, why would they spend 40-60% more?
- QSAs cannot find everything, yet they are typically expected to do just that.
- Bring back Birds of a Feather!
Really good feedback. The general Q/A sessions had some of the same nonsense that I have written about many times before (prompting calls from individuals about my brutal honesty), so to end this post, I want to revisit something I wrote two years ago in Vegas. It’s called “Ask the Council.”
If you are headed to Europe, read this post before stepping up to the microphone.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?