If you can believe, it has been nearly seven years since the last update to the Qualification Requirements for Qualified Security Assessors (QSAs). This document is the guide that assessors use in their business dealings with the Council. It explains how a firm can become a QSA Company, who is qualified to be a QSA employee, and how the ecosystem works around that whole group.
The changes are quite substantial, as evidenced by the change log. The last entry, for 1.2, simply stated alignment issues with PCI DSS v1.2. This version has nineteen entries, including alignment with PCI DSS v3.1. I’m not going to review all the changes here, but I do want to highlight a couple of big changes.
For those of you who have lived through braces on your teeth, these changes feel like that time when you went in to get them tightened and your mouth hurt for a few days. It’s a tightening up of requirements across the board. Longer violation periods, more requirements for companies and employees, and new codes of conduct. The document is worth a review even if you are NOT a QSA. Unfortunately, the Council did not provide a detailed changes document like they do for changes to the standard so your review will be fairly manual.
Probably the most significant change that I saw is candidates must now have a certain kind of security or audit certification. Today, it says you must have at least ONE from the list of eight, but they indicate that they may require one from each group in the future. Ironically enough, that change would mean that I no longer qualify to be a QSA.
Certification in our industry is a hotly debated topic. Many of us have held and maintained security certifications for more than fifteen years. Certification alone does not make a good security professional—experience does.
Here’s what I find strange though. The Council is a certifying body that provides training, testing, vetting, and ultimately designations for those in the field who perform these assessments. While it is not rare for a certification body to consider other earned certifications during the vetting process, I’m struggling to figure out the intent behind requiring a third party certification to become a QSA. It sends a mixed message—implying that they don’t believe in their own program enough to qualify an individual, so they require some other program to also qualify said individual. If the Council felt like they needed better (or more qualified) individuals in their QSA pool, why wouldn’t they just make the testing more stringent? This seems like a problem that could be solved internally rather than pointing to other certifications as a requirement to be a QSA. Maybe the current fail rate of the QSA exam is just too low? While we don’t know for sure, the CISSP and CISM pass rates are generally thought to be in the 60-70% range.
Next, I noticed that the Council has added in a provision stating that any on-site reviews of QSAs are now at the expense of the QSA. This alone makes me glad I’m not responsible for a QSA company today. As a former consultant, alarm bells are going off everywhere. Not only do I pay significant fees to be listed on the website and for the Council to train, qualify, and test my people, but I’m subject to added expenses for an on-site visit? Who approves those expense reports? Can they stay at the Ritz and book first class tickets? How many steak dinners will the review take? I think this is an overall negative for the program. The Council would be better off instituting a raise in QSA fees to create a pool for on-site audit dollars, from which they can draw.
Finally, I had a friend talk to me about some of the evidence collection requirements that have changed, but as I review it I feel like it is just more documentation on how a company does things. They still require that all assessment results and related materials can be made available to the Council upon request (apparently, in a non-redacted format, so I hope the Council has similar evidence handling policies that QSAs are required to have), and that all materials are maintained for three years. There is probably no better reason than this to find ways to remove PCI DSS from your plate.
So back to the headline, is the Council trying to kill the QSA program? Obviously, no they are not. But, perhaps, it is a nudge in that direction. Assessment costs will have to rise to compensate, fewer people will qualify to be QSAs which reduces the labor pool size, and now all the sudden it makes sense to invest in an end-to-end encryption solution or perhaps self-assess. If you are following where I am going with this, it should reduce the demand for QSAs over time, which should lead to companies dropping out of the program and costs going down as supply bloats over demand. What are your thoughts? Drop them in the comments below!