Will your QSA Breach your Contract? standard
Your QSA may not be telling you the whole story. No, I’m not talking about sloppy assessment work. What I’m referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement! In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their ...
Continue Reading