Archive for April 13th, 2012

13
Apr
12

Another Year, Another QSA Re-Certification

By PCIGuru Leave a Comment
Categories: Card Brands, PA-DSS, PCI DSS, PCI PTS and PCI SSC
Tags: , , , , , ,

It is that time of the year when I have to go through the PCI SSC’s Qualified Security Assessor (QSA) re-certification process.

To add to the re-certification process this year, I have been sick for the last two months with a cold that turned into a nasty case of bronchitis along with laryngitis that then caused a severe case of sinusitis.  I just could not catch a break this Spring.  The good news is that I am finally on the mend and should be back to normal in another couple of weeks.

However, even illness does not get you out of the QSA re-certification process.  So, I put it off as long as I could and took the examination this morning.

As I expected, there was not a lot of new material in this year’s QSA update.  The biggest focus of this year’s training seemed to be:

  • The interrelationship of the various PCI standards;
  • Roles and responsibilities of QSAs, ASVs, merchants, service providers, acquirers, PCI SSC and the card brands;
  • Scoping of the cardholder data environment and cardholder data discovery; and
  • The integration of the PA-DSS with the PCI DSS.

Other than that, it was for the most part a reinforcement of the changes in the PCI DSS v2.0 to make sure that QSAs really understand the standard.

There is an interesting section on what not to write in the In Place column.  The unfortunate aspect about this section of the training was that the examples that were presented were straight out of ROCs that the PCI SSC QA program had reviewed.  Some of those responses were very difficult to read they were so bad.

There is also a discussion on network segmentation.  Unfortunately, the examples were very simple.  I wish our clients had such simplified networks.  However, because this discussion is in this year’s presentation materials indicates there are apparently still a lot of QSAs that do not understand the concept of network segmentation and what constitutes good segmentation from poor segmentation.

As I am finishing this post, I have been told I passed the QSA re-certification examination.  So I am a QSA for another year.

Announcements

This is a test to see how often or if this Announcements column is read. As of May 2013, the PCI Guru became a “free agent” and is looking for a new Qualified Security Assessor Company (QSAC) or a company that would like to bring their PCI compliance efforts in-house with an Internal Security Assessor (ISA). In the meantime, the PCI Guru is doing contract work with organizations having issues achieving PCI compliance. If your organization has an opportunity or is in need of assistance, contact the PCI Guru at pciguru AT gmail DOT com.

Calendar

April 2012
M T W T F S S
« Mar   May »
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 669 other followers

Follow

Get every new post delivered to your Inbox.

Join 669 other followers