In March 2017 the PCI SSC announced plans to evolve the PCI Qualified Security Assessors (QSA) Program to attract new cyber talent globally and ensure its sustainability and quality in a changing payment environment. In this blog post we talk with Chief Operating Officer Mauro Lance to get the latest updates on this effort, including when to expect the new Associate QSA Program, new changes to the industry-recognized professional certifications requirement for QSAs, and plans for supporting the PCI 3DS Security Standard, when it’s published later this year.
Is the Associate QSA Program still on track to be available in early 2018?
Mauro Lance: Yes. We are targeting January 2018 to begin accepting applications. We addressed some of the key questions around this program in a previous blog post: Associate QSA Program: Coming Soon, so I encourage stakeholders to read it as well.
We will also be talking about the details of the program with assessors at the upcoming PCI Community Meetings in Orlando and Barcelona in addition to providing regular communications to stakeholders on the program in preparation for its launch.
What other changes are currently planned for ensuring the sustainability and quality of the QSA Program?
Mauro Lance: The QSA Program is a core industry program and as such its sustainability and quality is of primary concern to us and our stakeholders. We are increasing the industry-recognized professional certifications requirement for QSAs. The current QSA Qualification Requirements stipulate that QSAs must hold either an information security certification or an IT audit certification. Beginning in 2019 PCI SSC will require QSAs to have a minimum of two industry certifications, one information security and one IT audit certification. The QSA Qualification Requirements are being updated to reflect this change, and this document will be available by the end of the year.
We are also in the process of expanding the QSA Program to support the new PCI 3-D Secure (3DS) Security Standard, which will be published later this year.
There will be opportunities at the PCI Community Meetings in Orlando and Barcelona and the assessor webinar in November to further discuss these changes and QSA questions.
How long do QSAs have to obtain two industry-recognized professional certifications in order to meet this new requirement?
Mauro Lance: The new industry certifications requirement will be effective 1 January 2019 for new QSAs. For QSA employees qualified and listed on the PCI SSC website prior to 1 January 2019, this requirement will be effective 1 July 2019 (for example, upon annual requalification after 30 June 2019). Even though this requirement is not effective until 2019, we encourage QSA companies not to delay in ensuring their QSA employees will be able to meet these updated qualification requirements.
Why is the PCI SSC changing the industry-recognized professional certifications requirement for QSAs, and how do you see this benefiting the industry?
Mauro Lance: As new cyber threats emerge and advances in technology change the way we conduct payments and secure them, IT and security knowledge is increasingly important to the payment industry moving forward. As we continue to future-proof this program, in addition to attracting new cyber talent to the industry, we also need to build in ways for QSAs to demonstrate they are staying relevant and adapting their knowledge and skills to address industry challenges.
How will the QSA Program support the new PCI 3DS Security Standard?
Mauro Lance: The PCI 3DS Security Standard is still being developed, but we are looking at creating a sub-group of QSAs that are certified to conduct PCI 3DS assessments against this standard. The qualification requirements for these QSAs are still being determined, but eligible QSAs will have at least three years’ experience and two industry certifications, and they will need to take additional PCI training.
We will keep the QSA community informed on this initiative as it’s developed over these next couple of months.
What other changes are planned for the QSA Program?
Mauro Lance: Introducing the Associate QSA Program, increasing the industry-recognized professional certifications requirement for QSAs and expanding the QSA Program to support the new PCI 3DS Security Standard are the key changes we are working on right now.
Our overall goal is the continued evolution of the QSA Program to support new standards, meet industry needs and ensure high quality and consistent QSA services for merchants. Moving forward we will monitor the landscape and introduce changes as needed to ensure the sustainability and quality of the program. We are working with the QSA community and will keep QSAs informed of any developments that may impact them.