QSAs get a lot of criticism from the security and business community. Following a recent discussion on QSA quality and how it can be improved in order to improve the client experience, I decided to look at the existing QSA qualification requirements and the course structure from PCI SSC site. This may help me understand whether the criticism is justified and what can be done to address this.
Cost
NEW QSA Training Fee - $1,250 USD
Annual Requalification Fee - $995 USD
Annual Requalification Fee - $995 USD
Experience/Background
CISSP, CISA or CISM Certificate, or
5 Years of IT Security experience in a Resume’ format
Training
This class test is a closed book; the only document you will be allowed to reference during the test is a translation dictionary if needed.
Day 1 Module 1- PCI DSS Program Overview o PCI Security Standards Council o Roles & Responsibilities o Payment Industry Terminology o Payment Transaction Flow o Service Provider Relationships o Payment Brand Compliance Programs o SAQ Overview o PA-DSS Applicability | Module 2- PCI DSS Assessment Scoping o Cardholder Data Discovery o Cardholder Data Flow o Cardholder Data Storage o Network Segmentation o Scoping the Cardholder Data Environment |
Day 2 Module 3- PCI DSS Requirements o PCI DSS v1.2 Overview o PCI DSS v1.2 Requirements o PCI DSS Assessment Preparation o Report of Compliance Documentation o Prioritized Approach for PCI DSS 1.2 | |
Day 3 Module 4 - Compensating Controls o Compensating Controls Definitions o Compensating Controls Worksheet o Compensating Controls Examples Team Case Studies Exam | Module 5 - PCI DSS Compliance Program Development o Ten Common Myths of PCI DSS o PCI Compliance Process o PCI Compliance Recommendations o Information Security Management System Implementation (ISO 27001) |
I took the QSA training around mid 2008 and having sat for CISSP test before, I thought the QSA test was relatively light. I’m sure many others share my views and this partly reflects in the changes introduced in Jan 2010.
The test structure has since changed to become a closed book CBT test now with Continuing Education requirement (120 hours in 3 years, 20 min each year)
From a QSAC's (Company that employs QSAs - QSA 'C'ompany) point of view, they’d want as many qualified consultants to be QSAs to support the clients and the QSA training costs can be recouped in a few days of QSA consultancy. To add to this, the pre-requisites to qualify are not very stringent either. One needs to show 5 years of IT Security experience. I’m not sure whether this experience is validated directly by SSC. I believe it remains QSAC’s responsibility to do so.
Understanding the businesses, transaction process and the various relationships is not an easy one. It is not something that an individual with 5 years of IT Security experience and 3 day training and a test can readily address. It cannot be consistent either as the standard is open to interpretation. Acquirers have been proactive and have published guidance around call recording of SAD post authorisation to avoid mis-interpretation. Every acquirer has their own PCI team with their own interpretations and requirements. It becomes difficult for the QSAs to ‘sing from the same hymn sheet’.
To improve this, tiers/levels can be assigned to QSAs based on the assessments they do. I’m sure each QSA will agree that it is a learning process. No QSA knows a 100% of everything when he/she comes out of the training. If a freshly qualified QSA is assigned to a relatively difficult project without any support from a 'gold' or 'silver' QSA, that is down to QSAC and client's experience. Since it is an assessment/audit related role with technical emphasis, it may also help if certifications like CISSP, CISA or CISM are made mandatory. Most of the QSAs do have one of these certifications, hence it shouldn't be too onerous.
On the bright side, I have seen the QSA market mature over last year and QSACs are asking for experienced QSAs with several RoCs under their belt. This is a good thing. Organisations are also getting mature in addressing PCI compliance to engage QSAC early to provide experienced QSAs to lead towards a successful assessment. All this comes at a cost, a cost that some organisations may not have foreseen in their business plans. That’s when the fun begins. Dave did a great post on selecting your QSAs here.
No comments:
Post a Comment