What it Takes to be a PCI-Qualified Security Assessor

The Payment Card Industry Data Security Standard (PCI DSS) is intended to help organizations proactively protect sensitive customer account data. The standard was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International.

The PCI Standard includes the following security objectives for organizations to be in compliance:

Maintaining a Secure Network
Protecting Cardholder Data
Maintaining an Effective Vulnerability Management Program
Implementing Strong Control Measures
Monitoring and Testing Networks on a regular basis and
Maintaining Information Security Policy and Best Practices

PCI however, is not a regulation imposed by the government, but rather a security standard developed and regulated by major credit card companies to initiate consistent data security measures within companies, dealing with customer's credit cards on a global basis. Having said this, the risk of PCI lip noncompliance is high. Consider these newsworthy data breaches:

Heartland Payment Systems
TJX Breach
Hannaford Data Breach

In addition to being vulnerable to data breaches and other security incidents, noncompliant businesses can be imposed with steep fines from the credit card companies and may face civil, criminal and legal issues as well. Add loss of customer confidence and decreasing sales to the mix, and PCI noncompliance becomes a recipe for disaster!

Equally important, the continually changing nature and technology of the bankcard fraud environment means today's merchants are faced with a landscape of growing risks where the need for acute awareness and vigilance is constant.

Still, PCI promoters say noncompliance is often mis-reported.

" 'I was PCI compliant and I was breached' -- this is a very misleading statement," says Bob Russo, General Manager at PCI Security Standards Council. "When a company is PCI compliant, it is within a snapshot of time. Companies need to ensure that their goal is to be secure and not just gain a compliance certification".

The PCI Security Standards Council operates an in-depth program for security companies and their individual employees seeking to become Qualified Security Assessors (QSAs), and to be re-certified each year.

How to become a PCI-QSA

Once a security professional decides to become a PCI-QSA Assessor, they first need to look for a security company which is QSA certified by the PCI Security Standard Council and apply for sponsorship. The PCI Council requires all training attendees to be full time employees of a Validated QSA company.

The security professional will then need to complete the application process with the PCI Council and undergo and pass the Council's two-day QSA training course and an open-book exam and receive official certification.

The QSA applicant must meet either of the following minimum requirements, and a resume must be submitted with the council reflecting:

CISSP, CISA or CISM Certificate, or
5 Years of IT Security experience in a Resume' format

"PCI- QSA Assessor is a very good career choice for security professionals with grounded experience and expertise, as PCI is getting significantly recognized; the market for QSAs is getting stronger," says Blake Huebner, CISSP, CPISM, QSA, a PCI team lead at NetSpi, a security assessment and program development consulting company based in Minneapolis, MN.

Brian Eberhardy, CISSP, PCI-QSA, Sr. Consulting Engineer, Sensage, a log data warehouse company for compliance auditing including PCI, DCID 6/3, FISMA, agrees with Huebner on the growth and popularity of PCI coupled with the QSA role, which he mentions, "is one of the most sought after career choices for security professionals who enjoy consulting and doing audits."

Both Huebner and Eberhardy provide first-hand information, insider tips and career advice on what it takes to be a PCI-QSA:

1. The PCI-QSA role is ideal for individuals who are currently compliance officers, part of the internal audit team or are from the business operations and security infrastructure end. "Professionals who are reasonably technical and understand the business processes ... and then applies technical skills to these business processes - they are ones who will do well as an assessor," Huebner says. "Being a PCI assessor is not that cut and dry and cannot be learned straight by the book."

"An ideal QSA candidate is a security professional who has moved up the ladder from a strong IT and Networking background, to being a security engineer and, ultimately, being involved in audit and compliance," says Eberhardy.

2. Skill set and Information include:

General understanding of how the credit card industry works and is set up;
Strong information security background with solid experience in variety of security and IT applications/platforms, databases/servers and network configurations. "Almost 50% of the QSA job requires technical expertise," adds Huebner.;
Background in auditing helps individuals to perform the assessments more meticulously, and in writing up the reports etc.
Being certified such as the CISSP, CISA, and CISM helps in providing good exposure within different aspects/ domains in security including encryption, asset management, logging, policy etc. "A broad knowledge within security and audit is extremely significant for this role," says Eberhardy.
"Soft skills are equally important for the QSA role" maintains Huebner. "As presentations need to be made to the client company's management team, the QSA is a consultative role and individuals need to be comfortable with the social situation they get into on a daily basis, as well as they need to enjoy client interaction."

3. Benefits of the PCI-QSA Role:

Default expertise in PCI standard helps in pursuing multiple career paths within organizations;
Most financial services organizations look for former QSAs to come and take over their compliance programs;
Being certified as PCI QSA adds value in over all performance and adds flexibility to take up more engagements and projects thereby increasing billable hours as a consultant;
Certification gives certified candidates a leg up their peers, as hiring companies are looking for specialized talent and broader range of expertise;
Increased popularity of PCI is leading to more demand for QSA assessors in the job market today.

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.