18
Jan
11

Update On PCI DSS v2.0 QSA Scorecard

For all of those QSAs out there, we found out from the PCI SSC late last week that the PCI DSS v2.0 scorecard will not be released until the first part of February.  This document was supposed to be released sometime this month, but as usual it has been delayed.  For those of you that are not QSAs, the scorecard is the document that tells QSAs how they are supposed to conduct their fieldwork.  The scorecard tells the QSA whether they need to interview people, review documentation, observe a system setting or configuration, observe a process, action or state, specify sampling or monitor network traffic.  Reading the PCI DSS tests does not necessarily always define when these activities are required, particularly those that require the interviewing of people, so having the scorecard is a necessity in order to properly conduct a PCI DSS assessment.

The scorecard is also the grading scale that the PCI SSC uses to assess QSACs to determine if they need to go into remediation.  Points are assessed by the number of items of each of the aforementioned categories.  If the reports assessed by the PCI SSC do not achieve a score of 75% or greater of the possible points, then a QSA goes into remediation.

UPDATE: Just got an update from the PCI SSC late yesterday, Wednesday, February 16. The scorecard is further delayed and they are “hoping” to have it published in the next few weeks. How they expect QSAs to conduct v2.0 assessments without knowing what they are expected review and observe and who to interview is insane. I am guessing that the scorecard will not be delivered until the end of March at the earliest. The scorecard needs to be published with the standard, not after it.

Advertisements

5 Responses to “Update On PCI DSS v2.0 QSA Scorecard”


  1. 1 Amy
    March 30, 2011 at 9:36 AM

    Any update on this being released? Thanks!

    • March 30, 2011 at 8:07 PM

      I would like to report that it has been issued, but it has not. It supposedly will be released on their Web site, but that too may not be the case. However, it is supposed to be released to the key contact people for QSACs when it gets issued. I’m guessing that if it is not released by Friday, April 1 (April fool!), that it may be the end of April before we have it.

  2. 3 Hector
    January 31, 2011 at 2:24 PM

    What about a new prioritized approach? Whats the use of releasing the standard but not associated docs such as the prioritized approach spread sheet? How are you supposed to go through an assessment and provide reporting (even internal reporting) if you need to work on the previous version of the spread sheet?

    • January 31, 2011 at 8:04 PM

      Agreed. It is very frustrating to not have all of the tools we need to conduct a proper assessment. I really do not understand why the new releases of the PCI DSS and PA-DSS were released without an entire suite of documentation.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

January 2011
M T W T F S S
« Dec   Feb »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,904 other followers


%d bloggers like this: