Re-evaluating QSA training

Re-evaluating QSA training

Re-evaluating QSA training

Date: Apr 06, 2010

Recently, the PCI QSA training process has come under scrutiny over the quality of individual PCI assessors. In this interview, Bob Russo, General Manager of the PCI Security Standards Council, sheds light on changes to the training process.

Watch part one of this interview: The future of PCI DSS

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact  

Re-evaluating QSA training

Robert Westervelt: Hello. I am Robert Westervelt, the News Editor of Thank you very much for watching this video.
Today we are going to be talking about the Payment Card Industry
Data Security Standards with Bob Russo. Bob is General Manager
of the PCI Security Standards Council. Bob, thank you very much
for joining us.

Bob Russo: My pleasure.

Robert Westervelt: Part of the job with the Council is to oversee the
training and certification of Quality Security Assessors. There have
been some complaints in the past about the poor quality and lacking
depth of some assessments. Can you describe what the Council has
done to improve training and certification?

Bob Russo: First of all, our training is updated on a regular basis.
Not only are we training QSAs and now soon to be ASBs, as well,
but we are training merchants, as well. We do standards training;
we are letting them see the same type of training that the QSA's
are getting. More importantly, we have the QA program, so all of
our assessment community goes through this Quality Assurance
Program, and they go through it on a regular basis. Actually, if you
visit our website you will see on the list of assessors some of them
that have turned red on our website. Some of those assessors are
in remediation because of going through this Quality Assurance
Program. Others have left the program because of the Quality
Assurance Program. We endeavor to make sure that it is a
level playing field for all of the assessment community, and so far,
after a year and a half of having this QA Program in place, it seems
to be working.

Robert Westervelt: What does it mean to be in remediation?

Bob Russo: They have a certain period of time in order to correct what
we have seen they are not doing right, and more importantly, it lets the
community know that they have something going on there. It could be a
number of things, not necessarily that they are doing something wrong
in an assessment. It could be that they do not meet one of the
requirements for insurance or something of that nature and certainly,
they are able to communicate that to their customers and let them
know. I think the merchants really appreciate the fact that these guys
are going through this on a continual basis, and they are able to see
that the process is improving as they go through this.

Robert Westervelt: Why did these problems emerge? Why is there
not this standard process?

Bob Russo: It is standard process, but there are 200-and-some-odd
companies that are doing this. While we would like to think that everybody
is doing the right thing, in some cases people are not getting it right and we
are taking our responsibility seriously, and making sure that they are
in fact getting it right. One of the requirements as an example, is
that they have an internal Quality Assurance Program. We are checking
how they are actually doing their own Quality Assurance internally to
make sure, not just the fact that they have a Quality Assurance plan,
but that they are augmenting it and that they putting people through
it. We are making sure it is a level playing field because there are
so many of them out there, we need to make sure that, there are some
guys cutting corners just to get the business.

Robert Westervelt: There have been some problems in the past about some
Quality Security Assessment firms selling products on the side and requiring
merchants to actually buy those products in order to get certified. Have those
issues been remedied?

Bob Russo: Again, we are looking at this in the QA Program to make sure
it is not happening. They are also independence clauses in the contracts
that we sign with all of our Quality Assurance Programs, so if in fact
they are selling a product, they can sell that product to whoever
their customer is, but they have to let that customer know that there
are other products on the market that do the same thing. If we ever
hear that somebody is saying, 'The only way you can become compliant
is by buying our product,' they immediately go to the top of the queue
in the QA Program.

Robert Westervelt: Bob Russo of the Security Standards Council.
Thank you very much for joining us.

Bob Russo: My pleasure, Rob.

Robert Westervelt: Thank you for joining us. For more information on
this topic, you can go to, and for more videos, check For now, I am Robert Westervelt. Have a great

More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

    VIDEO - Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.
  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
  • Beyond PCI: Out-of-band security tips for credit card data protection

    Tip - Securing credit card data -- both online and at brick-and-mortar stores -- requires security measures beyond those mandated by PCI DSS. Expert Philip Alexander outlines six out-of-band security controls to consider.
  • compensating control

    Definition - Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the requirements for encryption. The alternative is sometimes considered a loophole that creates a security risk.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: