I kindly ask your permission to publish this article on under column Knowledge base on my company Web site, also we ‘re going to translate this article to ukrainian and russian languages and put it to respective chapters of the site.

Our company is focused on IT audit and IRM functions, operating in the Ukraine.

But hey – thanks for the chuckle on my second day of vacation. Off to the beach…

I probably have more experience than a vast majority of the QSAs currently in the market. Over the past 7 years I have not only conducted countless audits, but have leaded the two largest remediation efforts currently on record for the PCI Industry. I also, have an extensive background in IT Security, Forensics and Intrusion Analysis, and carry the commensurate certifications as well.

In my opinion, The Society of Payment Security Professionals is just another new certification from a small group of well meaning individuals who are trying to make a name for themselves as the “defacto” standard-gurus in the PCI Industry. I also believe it is against the guidance of the PCI SSC and could place needless legal exposure to a well intended effort.

Also, as a corporate official, you should be coached as to what certifications you “recognize” and make sure your corporate legal staff is also in alignment with such attestations.

More importantly, from my experience, I have found that an IT Security and Audit background is a good start … but a QSAs metal is forged in remediation efforts not in the “wham-bam-thank-you-ma’am” of audit.

Good luck in your search.

I have known @sfoak for sometime and he and @chipmonkey allowed me to stay with them when I arrived in the USA in September 2008 to present at the OWASP USA Conference and ToorCon prior to departing to Toronto, Canada for SecTor 2008.

I suspect internationally there would be not much difference as @sfoak also conducted the QSA training internationally (and I believe he also taught the SPSP Training but I could be incorrect about this).

“Spend money and time on compliance readiness with an external trusted adviser, such as a strategy consulting company specializing in risk management, with strong experience and exposure to both network and app penetration-testing. Risk management is so much more important than any single compliance standard (or even all of them combined).”

With all due respect, I humbly submit that there are very, very few information security focused “risk management” consultancies that could teach Chris (and his organization) much of anything.

@Andre – Thanks for the follow-up comment. The reason I stated that the QSAC is the most appropriate is based off my experience of payment processors deferring to the QSAC as to whether or not a compensating control is adequate or for interpreting various PCI-DSS language. Personally, I think it is a cop out on the payment processor side but I have witnessed these conversations. So, you wind up in a situation where you have a sub par QSAC stating one thing, a merchant stating something not in alignment with the QSAC, and the payment processor siding with the QSAC because they are the independent PCI qualified assessor. This is a liability shift-play on the side of the processors.

Without going into details, the reason my employer recently reached out to a QSAC was to get an objective third party review of a solution we are building. Once you become a level one merchant, you have to use a QSAC. Thus in scenarios where you are a level 2 merchant, almost a level 1 merchant, and spending a lot of money on a solution – you want to make sure that when you do become level 1 your solution is tight – otherwise it is a waste of money.

We are more in agreement then we are in disagreement. Some of my past PCI / QSA posts underscore my skeptcism towards QSAs- but reiterate merchants taking more responsibility for PCI-DSS. At the end of the day, I have to be the more knowledgable about PCI-DSS then any QSAC we hire; unforutnately – they carry a lot more weight in their opinion.

Thanks again for the comments Andre. Glad to see that a fellow OWASP leader cares about PCI and risk topics.

This is a really good post, mind you, otherwise I wouldn’t have commented!

However, I just think that your #6 should be #1 and the others should be like… footnotes or something ;>

To continue the good conversation, I wanted to comment further on one point you made, “QSA vendors are the most appropriate choice in the eyes of most payment processors”.

This is an interesting insight because what if QSACs are not the most appropriate choice to help with SAQs, compensating/alternate controls, or planned/future Merchant Level changes? My strawman argument here is that QSACs are notoriously low quality and lack proper risk management experience, as well as deep technical experience.

Also — I have some questions based on this comment. Assume you are right and that QSACs are the most appropriate choice to go to for compliance readiness projects for companies handling cardholder data.

Who is the next most appropriate choice? What kinds of non-QSAC security consulting/services shops or security vendors should prospecting organizations avoid?

I mean, it doesn’t make any sense to hire out a QSA to do work that isn’t required by a QSA, right? Or are you suggesting that prospecting organizations instead use non-QSA people from a QSAC for all compliance readiness work? Again, this brings me back to my point that QSAC != quality.

In relation to 2.

Are you referring to the CPISA?

Have you encountered anyone with both the CPISA and CPISM?

Also, what has been you experience with QSA outside of the USA?