What it Takes to be a PCI-Qualified Security AssessorThe Payment Card Industry Data Security Standard (PCI DSS) is intended to help organizations proactively protect sensitive customer account data. The standard was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International.
The PCI Standard includes the following security objectives for organizations to be in compliance:
PCI however, is not a regulation imposed by the government, but rather a security standard developed and regulated by major credit card companies to initiate consistent data security measures within companies, dealing with customer's credit cards on a global basis. Having said this, the risk of PCI lip noncompliance is high. Consider these newsworthy data breaches:
In addition to being vulnerable to data breaches and other security incidents, noncompliant businesses can be imposed with steep fines from the credit card companies and may face civil, criminal and legal issues as well. Add loss of customer confidence and decreasing sales to the mix, and PCI noncompliance becomes a recipe for disaster!
Equally important, the continually changing nature and technology of the bankcard fraud environment means today's merchants are faced with a landscape of growing risks where the need for acute awareness and vigilance is constant.
Still, PCI promoters say noncompliance is often mis-reported.
" 'I was PCI compliant and I was breached' -- this is a very misleading statement," says Bob Russo, General Manager at PCI Security Standards Council. "When a company is PCI compliant, it is within a snapshot of time. Companies need to ensure that their goal is to be secure and not just gain a compliance certification".
The PCI Security Standards Council operates an in-depth program for security companies and their individual employees seeking to become Qualified Security Assessors (QSAs), and to be re-certified each year.
How to become a PCI-QSA
Once a security professional decides to become a PCI-QSA Assessor, they first need to look for a security company which is QSA certified by the PCI Security Standard Council and apply for sponsorship. The PCI Council requires all training attendees to be full time employees of a Validated QSA company.
The security professional will then need to complete the application process with the PCI Council and undergo and pass the Council's two-day QSA training course and an open-book exam and receive official certification.
The QSA applicant must meet either of the following minimum requirements, and a resume must be submitted with the council reflecting:
"PCI- QSA Assessor is a very good career choice for security professionals with grounded experience and expertise, as PCI is getting significantly recognized; the market for QSAs is getting stronger," says Blake Huebner, CISSP, CPISM, QSA, a PCI team lead at NetSpi, a security assessment and program development consulting company based in Minneapolis, MN.
Brian Eberhardy, CISSP, PCI-QSA, Sr. Consulting Engineer, Sensage, a log data warehouse company for compliance auditing including PCI, DCID 6/3, FISMA, agrees with Huebner on the growth and popularity of PCI coupled with the QSA role, which he mentions, "is one of the most sought after career choices for security professionals who enjoy consulting and doing audits."
Both Huebner and Eberhardy provide first-hand information, insider tips and career advice on what it takes to be a PCI-QSA:
1. The PCI-QSA role is ideal for individuals who are currently compliance officers, part of the internal audit team or are from the business operations and security infrastructure end. "Professionals who are reasonably technical and understand the business processes ... and then applies technical skills to these business processes - they are ones who will do well as an assessor," Huebner says. "Being a PCI assessor is not that cut and dry and cannot be learned straight by the book."
"An ideal QSA candidate is a security professional who has moved up the ladder from a strong IT and Networking background, to being a security engineer and, ultimately, being involved in audit and compliance," says Eberhardy.
2. Skill set and Information include:
3. Benefits of the PCI-QSA Role: