In March 2017 the PCI SSC announced plans to develop an Associate QSA program, as part of a broader initiative for evolving the PCI Qualified Security Assessor (QSA) program to attract new cyber talent globally and ensure its sustainability and quality in a changing payment environment. This week, PCI SSC published Qualification Requirements for QSA Companies and prospective Associate QSA employees to join the Associate QSA Program. Senior Director of Certification Programs Gill Woodcock discusses the Qualification Requirements for Associate QSAs and what happens next with the program.
What is covered in the updated QSA Qualifications Requirements and Program Guide just published?
Gill Woodcock: We’ve introduced a couple of key changes to the QSA Program this year as part of a PCI SSC initiative to evolve the QSA Program to attract new cyber talent globally and ensure its sustainability and quality in a changing payment environment. The QSA Qualification Requirements and Program Guide documents have been amended to reflect these updates, which include requirements for the new Associate QSA Program and an amended requirement for QSAs starting in 2019 to hold two industry certifications, covering audit and information security, instead of one.
Why is PCI SSC introducing an Associate QSA Program?
Gill Woodcock: We want to provide an entry path for individuals working for QSA Companies to achieve full QSA status. We’ve had feedback that there aren’t enough QSAs available globally and the program is a response to that feedback. By introducing an Associate QSA program we are providing a formal development path for less experienced assessors to achieve full QSA status under the guidance of an experienced mentor. We think this will bring benefits to these individuals entering our industry, and in the longer term merchants and service providers will benefit from an expanded pool of QSAs.
How can individuals join the Associate QSA Program?
Gill Woodcock: Firstly, individuals must be employed by a QSA Company. This is to ensure that Associate QSAs work under the supervision of an experienced QSA. There is a list of QSA Companies on our website. Individuals working for a QSA Company wishing to apply to the program should review the QSA Qualification Requirements, check their eligibility and then work with their primary contact to submit an application. Successful applicants will need to attend face-to-face training and pass an exam before becoming an Associate QSA.
What are the roles and responsibilities of Associate QSAs? Are there restrictions on what they can do?
Gill Woodcock: As part of the program Associate QSAs are encouraged to develop their skills and experience by undertaking a range of different tasks and participating in PCI DSS assessments. However, as they do not have full QSA status, there are some restrictions in place. For example, Associate QSAs are prohibited from leading assessments, confirming PCI DSS compliance status, evaluating compensating controls or initiating/leading compliance discussions. The full range of do’s and don’ts for Associate QSAs is contained in the QSA Qualification Requirements and Program Guide.
What about quality assurance for Associate QSAs, is that addressed in the documentation?
Gill Woodcock: Quality assurance is addressed in some detail in the QSA Program Guide. Key features include the Mentor manual that the QSA Company will be creating. There will be a separate document containing templates for the forms required to maintain the Mentor manual. This document will be published in early January.
Mentors will receive training and support materials from PCI SSC to help them fulfil their important role and the PCI SSC Assessor Quality Management team will be closely involved to help ensure this new initiative delivers on its intent and will be conducting regular checks to detect any issues.
What training do Associate QSAs need to attend, and when will it be available?
Gill Woodcock: The Associate QSA training equips trainees to perform assessments of merchants and service providers who must comply with the PCI DSS. Associate QSAs will complete the same training as QSAs, which includes the online prerequisite PCI Fundamentals course and a two-day instructor-led course. The cost is the same as QSA training.
The Associate QSA Program will open for applications in January 2018, with the first training to take place at the end of January in Fort Lauderdale, Florida. The full 2018 training schedule is available on the PCI SSC website here.
Will the Associate QSA Certification be transferrable from company to company?
Gill Woodcock: Yes, this is something that the industry has asked us for. Associate QSAs will be able to transfer between eligible QSA Companies.
What are the next steps for QSA Companies interested in the Associate QSA Certification Program?
Gill Woodcock: The PCI SSC encourages QSA Companies interested participating in the Associate QSA Program to review the Qualification Requirements and Program Guide and take advantage of the upcoming Assessor Webinar on 7 December to ask your questions. Or, they can reach out directly to the QSA Program Manager via qsa@pcisecuritystandards.org
How does the Associate QSA Program benefit merchants and their acquirer partners?
Gill Woodcock: An overall shortage of cyber security talent is making it difficult for QSA Companies to find suitable new assessors. As a result, assessors are increasingly expensive to hire and retain, driving assessment costs up for merchants that rely on their services. The Associate QSA Program is designed to bring new cyber talent to the QSA program, easing the resource constraints for QSA Companies, and ensuring high quality QSA services are available for merchants and service providers into the future.
