iQoncept - Fotolia
The PCI Security Standards Council (PCI SSC) recently released the first major update to the requirements companies must meet to become official PCI DSS Qualified Security Assessors (QSAs). Organizations that currently serve as QSAs, or are considering becoming QSAs in the future, should understand the impact of these changes on their certification. Additionally, PCI DSS merchants and service providers should understand the new burdens being placed upon QSAs and how these new PCI requirements may impact the cost of future assessments.
The requirements include many changes and clarifications to the previous edition of the requirements, released in 2008. Although there are wording changes throughout the document, the substantive changes come in three areas: QSA independence, employee qualifications and quality assurance/evidence retention.
QSAs have always carried an obligation to reduce the likelihood and possible perception of bias in their activities. PCI SSC has long required that QSAs fully disclose any conflicts of interest that might exist, recommend alternatives to products they develop, own or manage, and accurately represent the PCI DSS requirements to their customers. These restrictions protect the integrity of the process and put an informal wall between the consulting/sales and assessment arms of companies engaged in multiple activities.
The new qualification requirements make this informal wall solid and mandate the use of what's called "separation of duties controls." These controls ensure the QSA staff members conducting assessments maintain their independence and have no conflicts of interest. QSAs must now notify employees of these requirements and their specific independence policies on an annual basis.
Many QSAs already follow these practices, as they have deep roots in the audit and assessment field. Those who practice separation of duties will only need to ensure their documentation meets the PCI SSC standards. An organization that may have blurred the lines between QSA employees and its consulting/sales staff may need to hire additional team members and implement new independence controls to satisfy this requirement.
QSA employee qualifications
The new standard also tightens the qualification requirements for individual employees who will participate in QSA assessments. Under the old approach, each employee participating in assessment was required to have at least one year of experience in three of five critical skill areas. The new standard requires that every employee have at least one year of experience in each of the five areas: application security, information systems security, network security, IT security auditing, and information security risk assessment or risk management.
These experience requirements may be met concurrently if employees held position(s) where they worked in more than one area during a given year.
Under the original requirements, employees must also have held one of three professional certifications: Certified Information Systems Security Professional, Certified Information Systems Auditor or Certified Information Security Manager. Employees who did not hold one of these certifications could substitute five years of experience or "other recognized security certifications."
The new standard eliminates the experience option and requires each employee to possess one of eight listed certifications. This requirement goes into effect January 1, 2016 for new employees. Current employees who do not possess a certification have until July 1, 2016 to earn a credential.
Quality assurance and evidence retention
Finally, the new standard places additional burdens on QSAs in the areas of quality assurance and evidence retention. QSAs must now create, implement and fully document a quality assurance process that includes a formal approval process for assessment reports and independent quality review of their work product.
QSAs must also formally designate an employee to maintain their records retention program. This program must retain detailed evidence from each assessment, including screenshots, configuration files, interview notes and related materials. These must be safeguarded as confidential information and retained for three years after the completion of the assessment to serve as evidence in the event of an audit.
What's the bottom line? During their next recertification cycle, QSAs will need to tighten up internal procedures and ensure their employees meet the new certification requirements. Merchants and service providers should expect to see increased costs as these new requirements increase the burden on their QSAs.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for SearchSecurity.com and Information Security magazine and the author of several information security books, including the CISSP Prep Guide and Information Security Illuminated.
Learn about the challenges to QSAs in PCI DSS 3.0 and how to choose a competent PCI QSA.