Update On PCI DSS v2.0 QSA Scorecard

For all of those QSAs out there, we found out from the PCI SSC late last week that the PCI DSS v2.0 scorecard will not be released until the first part of February.  This document was supposed to be released sometime this month, but as usual it has been delayed.  For those of you that are not QSAs, the scorecard is the document that tells QSAs how they are supposed to conduct their fieldwork.  The scorecard tells the QSA whether they need to interview people, review documentation, observe a system setting or configuration, observe a process, action or state, specify sampling or monitor network traffic.  Reading the PCI DSS tests does not necessarily always define when these activities are required, particularly those that require the interviewing of people, so having the scorecard is a necessity in order to properly conduct a PCI DSS assessment.

The scorecard is also the grading scale that the PCI SSC uses to assess QSACs to determine if they need to go into remediation.  Points are assessed by the number of items of each of the aforementioned categories.  If the reports assessed by the PCI SSC do not achieve a score of 75% or greater of the possible points, then a QSA goes into remediation.

UPDATE: Just got an update from the PCI SSC late yesterday, Wednesday, February 16. The scorecard is further delayed and they are “hoping” to have it published in the next few weeks. How they expect QSAs to conduct v2.0 assessments without knowing what they are expected review and observe and who to interview is insane. I am guessing that the scorecard will not be delivered until the end of March at the earliest. The scorecard needs to be published with the standard, not after it.


5 Responses to “Update On PCI DSS v2.0 QSA Scorecard”

  1. 1 Amy
    March 30, 2011 at 9:36 AM

    Any update on this being released? Thanks!

    • March 30, 2011 at 8:07 PM

      I would like to report that it has been issued, but it has not. It supposedly will be released on their Web site, but that too may not be the case. However, it is supposed to be released to the key contact people for QSACs when it gets issued. I’m guessing that if it is not released by Friday, April 1 (April fool!), that it may be the end of April before we have it.

  2. 3 Hector
    January 31, 2011 at 2:24 PM

    What about a new prioritized approach? Whats the use of releasing the standard but not associated docs such as the prioritized approach spread sheet? How are you supposed to go through an assessment and provide reporting (even internal reporting) if you need to work on the previous version of the spread sheet?

    • January 31, 2011 at 8:04 PM

      Agreed. It is very frustrating to not have all of the tools we need to conduct a proper assessment. I really do not understand why the new releases of the PCI DSS and PA-DSS were released without an entire suite of documentation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

January 2011

%d bloggers like this: