In March 2017 the PCI SSC announced plans to develop an Associate QSA certification program, as part of a broader initiative for evolving the PCI Qualified Security Assessor (QSA) program to attract new cyber talent globally and ensure its sustainability and quality in a changing payment environment.
A QSA Company is a data security firm certified by the PCI SSC to perform on-site assessments of a company’s PCI Data Security Standard (PCI DSS) compliance to ensure that robust policies and procedures are in place to protect cardholder data. The QSA program plays a critical role in the adoption of PCI Security Standards.
In this blog post we talk with Chief Operating Officer Mauro Lance to get the latest updates on the Associate QSA certification program.
What has the feedback from the industry been like on the Associate QSA certification program since you announced it in March?
Mauro Lance: Feedback has been overwhelmingly positive concerning the introduction of the new Associate QSA certification. It appears to have struck a chord with the industry as it has struggled to find enough qualified security professionals to fill available positions.
Is it still on track to be available in early 2018?
Mauro Lance: Yes. Since the announcement in March we have been working with a dedicated industry task force to develop the Associate QSA certification and supporting materials, such as the qualification requirements and training for the QSA mentors.
As of now, we are targeting January 2018 to begin accepting applications. We will be talking about the details of the program with the PCI community at our upcoming Community Meetings in Orlando and Barcelona and providing regular communications to stakeholders on the program in preparation for its launch.
Have the pre-requisites for an Associate QSA been determined?
Mauro Lance: Associate QSAs must be employed by an eligible QSA Company. Based on feedback from the industry we expect pre-requisites to also include a college or university degree in an IT or security-related field, or two years’ experience in IT or security. It is the QSA Company’s responsibility to nominate appropriate candidates for training.
Can you talk more about the responsibilities of a QSA mentor in relation to the Associate QSA and the requirements for serving in this role?
Mauro Lance: QSA Companies will designate a mentor to be responsible for the development of Associate QSAs. Mentors will be more experienced QSAs. Some examples of their duties may include the onboarding, evaluation of skills and ensuring Associate QSAs are given appropriate assignments to extend their skills and experience.
Will the Associate QSA certification be transferrable from company to company?
Mauro Lance: This is something that the industry has asked us for and we are considering permitting Associate QSAs to transfer between eligible QSA Companies.
What is the expected pricing for Associate QSA training and certification?
Mauro Lance: As Associate QSAs will complete the same training and exam as QSAs, organizations can expect the pricing to be consistent with pricing for QSA training and certification.
What will the Associate QSA training cover and when will it be available?
Mauro Lance: The Associate QSA training equips trainees to perform assessments of merchants and service providers who must comply with the PCI DSS. Associate QSAs will complete the same training as QSAs, which includes the online prerequisite PCI Fundamentals course and a two-day instructor-led course. The training calendar for 2018 will be published on the PCI SSC website later in 2017.
How will the PCI SSC ensure the quality of Associate QSAs?
Mauro Lance: The Assessor Quality Management (AQM) program is developing a quality assurance approach specific to Associate QSAs, ensuring a baseline level of quality is maintained by Associate QSAs in supporting QSAs.
What are the next steps for QSA Companies interested in the Associate QSA certification program?
Mauro Lance: QSA Companies should begin considering how they could take advantage of this program, including identifying suitable applicants for Associate QSAs and mentors and giving consideration to this program in their 2018 budget plans. In the meantime, stay tuned for more communication from the PCI SSC on the program – we expect to publish the qualification requirements later this year.