How to Become a QSAWhat are the Skills and Experience Necessary to Join the Expanding Workforce? The Payment Card Industry Data Security Standard (PCI) is one of the hottest topics in information security today. And PCI Quality Security Assessors (QSAs) are among the most sought-after of security professionals.
"PCI- QSA Assessor is a very good career choice today for security professionals with grounded experience and expertise," says Blake Huebner, QSA and PCI team lead at NetSpi, a consulting company based in Minneapolis, MN. "As PCI is getting significantly recognized, the market for QSAs is getting stronger."
What, then, does it take to become a QSA?
Like any external penetration tester, QSA's are hired for two reasons: knowledge and experience. QSAs are largely responsible for client-site data security assessments, gap analysis, remediation services, general PCI consulting and advice. Depending on the size of the company and number of distinct credit card processes, most engagements last somewhere between two and six months. Each QSA varies in how deep they need to go when auditing a company, but most will need to review and examine all settings, network and system configurations and documents.
How to Become a QSA
Once a security professional decides to become a QSA, they first need to look for a security company certified by the PCI Security Standard Council and apply for sponsorship. The PCI Council requires all training attendees to be full-time employees of a validated QSA company. The individual will then need to complete the application process with the PCI Council and undergo and pass the Council's two-day QSA training course. As of this past January, a closed book exam is also required to receive the certification.
The QSA applicant must meet either of the following minimum requirements, and a resume must be submitted with the council reflecting:
- CISSP, CISA or CISM Certificate, or
- 5 Years of IT security experience in a Resume' format
- All QSA Program training attendees must sign and accept the PCI SSC QSA Employee Certification form and submit at the time of attending training.
Prior to attending the PCI training session it is strongly recommended for candidates to familiarize themselves with the following publications available from the PCI Council:
- PCI Glossary
- PCI DSS
- PA-DSS Security Audit Procedures
- Summary of PABP to PA-DSS Changes
- PABP to PA-DSS Transition
- QSA Validation Requirements - PA-QSA
- Program Guide
- PCI PA-DSS FAQ
The primary contact at the QSA company will be notified of test results two weeks after the exam. Employees who fail may retake the training and test for an additional fee. If the employees pass, the QSA Company will be sent a certificate that validates the employee for the next 12 months.
"The selection process for QSA companies is tough, as they need to go through an in-depth program to become qualified security assessors and require being re-certified each year," says Bob Russo, General Manager at PCI security standards council. In addition, starting last year the PCI Council has enforced a stringent internal quality assurance program that all QSA companies need to adhere for effective assessment and performance.
The QSA role is ideal for individuals who are currently compliance officers, part of an internal audit team or are from the business operations and security infrastructure end. Professionals who are reasonably technical and understand the business processes are ones who will do well as an assessor. "Being a PCI assessor is not that cut and dried, and cannot be learned straight by the book," says Huebner.
An ideal QSA candidate is a security professional who has moved up the ladder from a strong IT and Networking background to being a security engineer and, ultimately, being involved in audit and compliance.
Skills that help include:
- General understanding of how the credit card industry works;
- Strong information security background with solid experience in variety of security and IT applications/platforms, databases/servers and network configurations. "Almost 50% of the QSA job requires technical expertise," adds Huebner.
- Background in auditing helps individuals to perform the assessments more meticulously.
- CISSP, CISA and CISM certifications help in providing good exposure within different aspects of security, including encryption, asset management, logging, policy.
- "Soft skills are equally important for the QSA role," says Huebner. "As presentations need to be made to the client company's management team, the QSA is a consultative role, and individuals need to be comfortable with the social situation they get into on a daily basis, as well as they need to enjoy client interaction".
Here is a list of the current QSA certified companies - a good place to start for job seekers interested in this career option.
See Also: 5 Myths and Realities of PCI Compliance