Tags ArchivesQSA

Is the Council Trying to Kill the QSA Program? standard

If you can believe, it has been nearly seven years since the last update to the Qualification Requirements for Qualified Security Assessors (QSAs). This document is the guide that assessors use in their business dealings with the Council. It explains how a firm can become a QSA Company, who is qualified to be a QSA employee, and how the ecosystem works around that whole group. The changes are quite substantial, as evidenced by the change log. The last entry, for 1.2, simply stated alignment issues with PCI DSS v1.2. This version has nineteen entries, including alignment with PCI DSS v3.1. I’m not going to review all the changes here, but I do want to highlight a couple of big changes. ...

Continue Reading

PCI Council Revokes QSA Status (Finally?) standard

You readers know that I used to run one of the larger QSAs, and I took pride in the team we built, the work we did, and what our customers said about our experience. Yes, we actually had customers tell us that they LIKED their QSA. How rare is that today? Since getting out of that business, I have spent quite a bit of time helping my customers operate more securely, and in conjunction with that, comply with various standards like PCI DSS. The only time I’ve heard more colorful language describing someone is when my wife screams at the TV during football. BARELY more colorful. Earlier this month, the PCI SSC announced they were revoking the QSA and PA-QSA ...

Continue Reading

How Deep is Deep Enough? standard

After my last post on the Lack of Understanding in QSAs, Brad emailed me and asked how much a QSA or ISA should look behind the curtain for someone like an Iron Mountain (analogy used in the post). I feel like a bad consultant/blogger because I only pointed out a problem, but didn’t point out a solution. It’s OK though, I’m over it now. How deep is deep enough? Here is a basic guideline: Is the service provider currently on the PCI DSS Global Registry of Service Providers, and is their listing current? If so, I think most QSAs would look at how the data is handled prior to the handoff, make sure that the handoff and contracts are compliant ...

Continue Reading

The Lack of Understanding in QSAs standard

This topic seems to keep coming back, and it’s getting more frequent. I mentioned this as an element of Sin #2, Compensating Control Chaos in my recent paper, and more companies are coming to my team to help them through an inexperienced QSA’s assessment. The worst part is that it is a self-fulfilling prophecy. If you squeeze the dollars you pay a QSA, they will squeeze the quality and thoroughness of what you are getting. It’s been a while since I have performed an assessment from start to finish. That said, I’ve seen people ((Meaning me.)) guilty of assuming that an Iron Mountain truck seen near a company’s data center equals secure off-site transport and tracking of goods—no questions asked. ...

Continue Reading

The Council is Such a Tease with PCI DSS 2.0 standard

They totally are!  Giving us this little tiny preview of upcoming changes without really getting too specific.  It’s like me saying, “Dude, that chick is HOT!” Then when you ask me to describe her I say, “It’s a lady all right!” OK, back to the real reason you are reading this, the changes to PCI DSS and PA-DSS slated to drop on October 28 are outlined here. The majority of the document reviews the new lifecycle, how and why changes are made, and the three general types of changes outlined: clarifications, additional guidance (which is just a fancy way to say clarification), and a requirement that is evolving based on new threats or a change in the market. This release represents ...

Continue Reading

Why your QSA should not be your Security Partner standard

This one is link-laden folks.  Enjoy 🙂 It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well. Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible.  QSA companies are motivated by three main things: Scope and price the deal in ...

Continue Reading

Personal Liability for QSAs standard

I was chatting with a colleague this week, let’s call her Anne, who had a very interesting question. “Should Anne carry personal liability insurance as a QSA working for  a QSA company?” She was trying to assess her personal liability for doing QSA work.  So let’s say Anne made a mistake, and that mistake caused a merchant to be breached, would her former employer go after Anne to make her a scapegoat after she left? I had a brief discussion with David Navetta of the Info Law Group about the idea (and please note that anything found here is NOT legal advice, and you should always talk to an attorney if you have an issue… entertainment purposes folks), and he ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!