Re-evaluating QSA training

Recently, the PCI QSA training process has come under scrutiny over the quality of individual PCI assessors. In this interview, Bob Russo, General Manager of the PCI Security Standards Council, sheds light on changes to the training process.

Watch part one of this interview: The future of PCI DSS

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact  

Re-evaluating QSA training

Robert Westervelt: Hello. I am Robert Westervelt, the News Editor of Thank you very much for watching this video.
Today we are going to be talking about the Payment Card Industry
Data Security Standards with Bob Russo. Bob is General Manager
of the PCI Security Standards Council. Bob, thank you very much
for joining us.

Bob Russo: My pleasure.

Robert Westervelt: Part of the job with the Council is to oversee the
training and certification of Quality Security Assessors. There have
been some complaints in the past about the poor quality and lacking
depth of some assessments. Can you describe what the Council has
done to improve training and certification?

Bob Russo: First of all, our training is updated on a regular basis.
Not only are we training QSAs and now soon to be ASBs, as well,
but we are training merchants, as well. We do standards training;
we are letting them see the same type of training that the QSA's
are getting. More importantly, we have the QA program, so all of
our assessment community goes through this Quality Assurance
Program, and they go through it on a regular basis. Actually, if you
visit our website you will see on the list of assessors some of them
that have turned red on our website. Some of those assessors are
in remediation because of going through this Quality Assurance
Program. Others have left the program because of the Quality
Assurance Program. We endeavor to make sure that it is a
level playing field for all of the assessment community, and so far,
after a year and a half of having this QA Program in place, it seems
to be working.

Robert Westervelt: What does it mean to be in remediation?

Bob Russo: They have a certain period of time in order to correct what
we have seen they are not doing right, and more importantly, it lets the
community know that they have something going on there. It could be a
number of things, not necessarily that they are doing something wrong
in an assessment. It could be that they do not meet one of the
requirements for insurance or something of that nature and certainly,
they are able to communicate that to their customers and let them
know. I think the merchants really appreciate the fact that these guys
are going through this on a continual basis, and they are able to see
that the process is improving as they go through this.

Robert Westervelt: Why did these problems emerge? Why is there
not this standard process?

Bob Russo: It is standard process, but there are 200-and-some-odd
companies that are doing this. While we would like to think that everybody
is doing the right thing, in some cases people are not getting it right and we
are taking our responsibility seriously, and making sure that they are
in fact getting it right. One of the requirements as an example, is
that they have an internal Quality Assurance Program. We are checking
how they are actually doing their own Quality Assurance internally to
make sure, not just the fact that they have a Quality Assurance plan,
but that they are augmenting it and that they putting people through
it. We are making sure it is a level playing field because there are
so many of them out there, we need to make sure that, there are some
guys cutting corners just to get the business.

Robert Westervelt: There have been some problems in the past about some
Quality Security Assessment firms selling products on the side and requiring
merchants to actually buy those products in order to get certified. Have those
issues been remedied?

Bob Russo: Again, we are looking at this in the QA Program to make sure
it is not happening. They are also independence clauses in the contracts
that we sign with all of our Quality Assurance Programs, so if in fact
they are selling a product, they can sell that product to whoever
their customer is, but they have to let that customer know that there
are other products on the market that do the same thing. If we ever
hear that somebody is saying, 'The only way you can become compliant
is by buying our product,' they immediately go to the top of the queue
in the QA Program.

Robert Westervelt: Bob Russo of the Security Standards Council.
Thank you very much for joining us.

Bob Russo: My pleasure, Rob.

Robert Westervelt: Thank you for joining us. For more information on
this topic, you can go to, and for more videos, check For now, I am Robert Westervelt. Have a great

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.