Branden Williams has a great posting out on this topic that everyone that is a QSA needs to read. He brings up a number of good points that need to be discussed.
That said, I wanted to take on one of his discussion points and go a bit deeper. And that is the coming requirement that multiple certifications will be required as of July 1, 2016.
“Note: The requirement to possess at least one industry-recognized certification is effective as of January 1, 2016 for new QSA Employees. For QSA Employees qualified and added to the search tool prior to January 1, 2016, this requirement is effective July 1, 2016 (for example, upon annual requalification after June 30, 2016).”
The document lists two types of certifications; “Information Security” and “Audit”. Under Information Security list you have the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM).
Under the Audit list you have the Certified Information Systems Auditor (CISA), GIAC Systems and Network Auditor (GSNA), Certified ISO 27001, Lead Auditor, Internal Auditor, International Register of Certificated Auditors (IRCA), Information Security Management System (ISMS) Auditor, Certified Internal Auditor (CIA). How the Council developed this list of qualified certifications is beyond me as there are some others that I would think should be listed here.
I too face the issue that Branden faces. While I have multiple certifications, I no longer hold the CISA certification that I would need to remain a QSA after June 30, 2016. As a result, I would have to go back and obtain my CISA again after letting it lapse years ago. Why my Certified in Governance of Enterprise Information Technology (CGEIT) would not be acceptable and qualify me I have no idea.
But there is a larger issue here that I think needs to be discussed. Given how the Council has broken these certifications out, one would assume that they are looking to make QSAs better assessors by improving their auditing skills. I am also assuming that they are preparing QSAs for the onslaught of conducting true audits under the coming integration of business as usual (BAU) standards that will be introduced into the PCI DSS v4.
Based on those assumptions, I would argue that only the IRCA and CIA certifications have anything to do with certifying someone as capable of conducting a proper audit in addition to being a CPA. All of the other certifications they specify under the “Audit” category are focused on a particular auditing standard such as CoBIT, ISO 27K or similar and have nothing to do with improving a QSA’s auditing skills or preparing QSAs to become true auditors.
But that brings up an even more interesting question to ponder. Is the PCI SCC going to adopt the AICPA’s Statements on Standards for Attestation Engagements AT-101? This standard is what tells CPAs how to properly conduct audits. AT-101 lays out an extensive list of requirements for conducting an audit from planning, execution, work papers, client representations, report creation, report publication and everything in between.
A number of years ago when I worked at an accounting firm, we were approached by a few clients interested in conducting their PCI assessments to the AT-101 auditing standard. As we investigated what it would take, we and our clients quickly came to the realization that conducting a PCI assessment to AT-101 standards was going to be very costly and time consuming. The reason was that AT-101 has specific and rigorous evidence gathering and sampling requirements that go an exponential level beyond what any QSA does today for a PCI assessment.
With the introduction of BAU into the mix, QSAs are going to have to test compliance with certain requirements over the assessment period. Based on my analysis of v3, I am estimating that there are at least 213 requirements that could have testing over some period of time. As a result, AT-101 auditing standards could easily be applied to those requirements. Such an application would lend much more credence to a PCI assessment and better prove that organizations are complying with the PCI DSS.
Most departments in organizations have never been through an actual audit other than possibly their finance and accounting areas. As a result, the rigor involved with an audit will be a very new and frustrating experience for IT and the other areas involved with PCI compliance. If you think the PCI assessment process is annoying and painful now, wait until you see what you have to look forward to in the future if this is where I would bet the Council is headed.
Regardless, the PCI haters will really have something to complain about if this comes to pass.
My recommendation? Move as quickly as possible to reduce your PCI scope now.
PCI Guru 
I don’t know how I missed this. I don’t like the PCI SSC’s approach. As a certifying-body, they require you to be certified by another certifying-body, it just doesn’t make sense. It’s one thing to leverage existing certifications as a mean to demonstrate a certain level of experience but it should stop there.
And contrary to your view, I hope the SSC stay away from all the AICPA standards and rules as they’re made for accountants not for information security professionals. There is bad QSAs just like there’s bad CPAs. CPAs are just not information security professionals and the DSS is a security standard. The US Dept. Of Energy has a mechanism in place where you can have your house energy efficiency audited and they will provide financial assistance if you improve its efficiency. It is always referred as an audit and I haven’t seen CPAs doing it. Say what you want, audit is a very broad term that is simply a process by which something is compared to a reference. Its applicable to all fields like engineering, medical, plumbing, aerospace, banking, etc. You can refer to AT-101 all you want, keep in mind the large quantity of accounting scandals where CPA were involved so rules and standards are always as rigorous as the people enforcing them. Lastly, it’s not fair comparing financial auditing principles that have existed for centuries to payment security which is something fairly new. Not long ago, payment security was associated with the fact that very few had access to the mainframe.
The only reason that I brought up the AICPA is that it appears that the Council is trying to get Assessors to be better at auditing. Yet they use examples of certifications that really have nothing to do with being better auditors other than the Certified Internal Auditor certification.
I also find it ironic that while the Council will not accept the work of other auditors, they still recommend that Assessors have other certifications such as CISA and ISO that are for the very programs they say are not acceptable.
BTW Anyone that truly wants to “cook the books” is going to set up an environment that will make that work for some period of time. Most frauds exposed by auditors never see the light of day in the media for various reasons. The biggest problem auditors have is that independent third parties such as banks and business partners do not confirm or deny business transactions that would immediately identify the fraud. Such entities receive so many requests from auditors for confirmations that they blow them off. Without those confirmations, the auditor has no choice but to accept the transactions as accurate even when they are not.