At the PCI Middle East and Africa Forum in Cape Town, the PCI SSC announced plans to evolve the PCI Qualified Security Assessor (QSA) program to attract new cyber talent globally and ensure its sustainability and quality in a changing payment environment. The initiative will be rolled out in phases, beginning in 2017 with a dedicated industry task force focused on the development of an Associate QSA program. In this blog post we talk with Chief Operating Officer Mauro Lance on the new Associate QSA Program and PCI SSC plans for evolving the program to attract new cyber talent and ensure high-quality services for merchants.
What is driving changes to the PCI SSC QSA program?
Mauro Lance: Industry feedback. We’ve had a lot of conversations in the last year or so about resource constraints within QSA Companies and the need to provide an entry route for individuals who want to become QSAs. This program is a direct response to that feedback, as our goal is for PCI SSC to continue evolving and developing our standards and programs to meet the changing needs of the payment industry.
How will the new Associate QSA Certification help ensure quality of QSA services for merchants?
Mauro Lance: Associate QSAs will work under the supervision of fully experienced QSAs to get the range of experience needed to perform a PCI Data Security Standard (PCI DSS) assessment. Continuing to improve the quality and consistency of QSA services for merchants is very important to the Council, and we will be adapting our assessor quality management programs to support Associate QSAs in their development.
What is the ideal candidate for Associate QSA?
Mauro Lance: The ideal candidate for Associate QSA is a security professional that wants to become a QSA but who can’t fulfil the experience and industry certification requirements just yet. We anticipate that he or she will need to attend QSA training and take the same exam as QSAs, so they will need a good level of knowledge about PCI DSS and how it applies to the cardholder data environment. After attaining Associate QSA status the individual will need to gain experience and meet the qualification requirements before progressing to full QSA status.
How is the Associate QSA program different than the QSA program?
Mauro Lance: Associate QSAs are restricted to assisting in PCI DSS assessments and must work under the supervision of a fully qualified QSA. We are working through the details of the program with an industry task force to clarify the role and restrictions of the Associate QSA and the responsibilities of their supervising mentor. As of now, we anticipate that the role of Associate QSA will primarily focus on assisting with gathering evidence for PCI DSS assessments so they can get the necessary field experience to eventually become a QSA.
When will the Associate QSA certification be available?
Mauro Lance: We are planning to accept applications starting in early 2018, and we will be announcing more details about the program over the course of 2017.
What can you tell us about additional changes planned for the QSA Program?
Mauro Lance: Over time we expect to move to a skills-based model from the current standard-to-program model. If you look at our portfolio of programs you might notice that each standard has its unique assessor program associated with it. As PCI SSC develops more standards, it makes sense to leverage the expertise of current assessors, with extended training as needed, rather than continuing to introduce new assessor credentials. The first example of this was in February 2016 when we extended the remit of P2PE Assessors to include the ability to perform assessments of Tokenization Service Providers. We will continue to evolve all of our assessor programs to meet the needs of the payment industry, and we will do this in cooperation with the industry itself.