Where to begin with this post Chris? I’ll paraphrase the gems that resonate with me:

“My biggest frustration is when you cannot get a clear answer from an assessor on complex scenarios and complex technologies…

…QSAs that actually know technology, understand security controls, are able to contextualize a security control as applied to a technology, and are willing to tell you that you are either right or wrong – not some of this wishy-washy, not willing to take a side approach that leaves as much uncertainty about a scenario then when you first started seeking feedback.

…know technology and security at a very granular level; to an extent most reasonable folks would not anticipate. The reason this is important is because it helps with understanding the intent of some of the PCI-DSS requirements as well leveraging compensating controls when there may be a gap.”

We’ve cycled through this experience as well. Being able to cut through the ambiguity and clearly address the heart of the matter has eased our approach significantly when dealing with the so-called “score keepers” in our environment.

It’s interesting how simple philosophies, even discussed back in the early 90′s, like network segmentation (or the politically correct term “zoning”) has been so difficult to achieve by many.

@Chris…
— that’s either the most ringing endorsement ever, or a PSA (or maybe a paid advertisement). You’re spot-on with the QSA comments, and I’ve actually seen companies choose the *least competent* ones possible to get away with as much as possible… which sounds right, doesn’t it? To find some group you’re comfortable with is good… to know they’re doing a great job is better – to have the complete trust you have in PSC… that’s unheard of.