A couple of interesting items in this month’s Assessor Newsletter that came out on April 30.
All Assessor Webcast
The first thing is the June 15 All Assessor Webcast that will be held at 1430 UTC and will be an hour and a half long. I reached out to some contacts I have and they are all mum as to what could possibly take an hour and half to discuss. Given that the final RFC of PCI DSS v4 might be out by then, it could be there will be a discussion of that document. Regardless, I would recommend everyone sign up to attend this session.
QSA v4 Training
Another little interesting tidbit was in the QSA Program Changes. I do not recall hearing about this in the past, so that is why I found it interesting.
“QSAs can only perform assessments using versions of the standard for which they have received PCI SSC training:
– This requirement only applies to major releases of the standard, it does not apply to minor revisions.
– Once a QSA completes the PCI DSS v4 Transitional Training, an indicator will be added to the QSA Assessor listing on the Website.”
From what I can gather, what this means is that until a QSA has attended the PCI DSS v4 Transitional Training, a QSA will not be able to conduct a PCI assessment using the v4 template. As a result, I am guessing that attendance at these training sessions will be at a premium as QSAs will want to attend them as soon as possible. Hopefully these will be online sessions so that getting into them early are not as big an issue as would be for in-person training.
QSAC QA Questionnaire
For those QSACs that have been looking for the annual QA Questionnaire, it was released on March 24 and is posted on the PCI Portal under the Resources Center. So make sure you download it and go through it as soon as you can.
FAQ of the Month
The final tidbit is regarding this month’s FAQ #1325 entitled ‘Does PCI SSC provide a “PCI DSS Compliant” logo?’.
“PCI SSC does not issue an official PCI seal, mark or logo that companies can use when they achieve PCI DSS compliance. Please note that the PCI logo is a registered trademark and may not be used without authorization. You may not use the marks PCI Compliant, PCI Certified, PCI DSS Compliant, PCI DSS Certified or PCI with check marks or any other mark or logo that suggests or implies compliance or conformance with our standards. If your company is a member of one of PCI SSC’s programs, i.e. PO, QSA, ASV, ISA, or QIR, please contact your Program Manager who can provide a program logo that can be used for members of that program only. Note that authorized use of an applicable PCI logo by a program member is not an indication of that organization’s PCI compliance status or an endorsement by PCI SSC.
April
Article Number 1325″
This ranks up there with FAQ #1220 on the subject of PCI compliance certificates and the fact that they are worthless. Why these continue to be allowed to go on, I do not understand. I suppose until the Council begins putting QSACs in remediation for these incidents, they will continue.
Just thought these topics were worth sharing in case you missed the latest newsletter.
PCI Guru 