The PCI Security Standards Council sent out a communication to all Qualified Security Assessors (QSAs) this past week saying they are raising the number of industry certification requirements for QSAs from one certification to two (effective 2019). While I have been in strong favor of almost everything that the council has done to evolve the PCI standard and program, I have concerns with this change for QSAs and what they will mean to our clients.
Digging into the specifics of this change, the new requirements dictate one certification pertaining to information security (CISSP, CISM, ISO 27001 Lead Implementer) and one certification pertaining to audit (CISA, GSNA, ISO 27001 Lead Auditor, IIA CIA).
According to a source of mine who works for one of the credit card brands, this requirement has surfaced because of the poor quality of some assessments. Sadly, we have seen this reality as we meet with many new clients – simply put, not all QSAs are created equal. That said, I believe if the PCI Security Standards Council is concerned about ensuring consistent, thorough results, this change may not drive the results they are looking for. Thoroughness is associated with QSA companies who show up to perform the assessment and not associated with those who complete ‘fly-by’ assessments or rely exclusively on automated tools (albeit, tools that can help save some time but by no means are a replacement). Also – any assessed entity who opts for the low cost QSA provider is more likely than not to experience a haphazard assessment. Having been involved with hundreds of PCI assessments over the past decade, I can say that I’ve seen many shortfalls (see blog post) – very few of which an auditing certification will help.
The increased focus around auditing is a directional change and runs the risk of turning PCI assessments into audits which is a different thing altogether. In my experience, the best way to deliver a thorough PCI assessment, is to approach it consultatively. In fact, we tell our clients that we are working with them to prevent their organization from being audited, which could happen if there was a suspected breach. This allows us to earn the trust of our clients, and therefore conduct a much more thorough assessment than if the client felt they were being audited (when someone is being audited, they just answer the question with as few words as possible as anything they share may be used against them).
I also spoke with a good friend who runs his organization’s PFI practice. He believes that the auditing certification will add absolutely zero value to his team of forensics investigators. I am all for continued learning and certifications, but they must align with business objectives; that is not the case with this change.
So what would I recommend? How about adding a third certification category which is more technical, and then allow QSAs the option of selecting two out of the three categories to pursue? For example, because our practice has been inundated with clients who use AWS to host their infrastructure (or they are migrating there), our practice has found the AWS Certified Solutions Architect (associate) training to be extremely useful for not only performing more thorough assessments of our clients who use AWS, but also to be able to make meaningful suggestions to help secure their enterprises. Another relevant certification is the Architecting Microsoft Azure Solutions Certification, another very popular platform where our customers are migrating their infrastructure. Along a different, but similar line, obtaining a Certified Ethical Hacking (CEH) certification would also help the QSA understand technology from the perspective of a nefarious mind. QSAs can see gaps from the standard, but when they also have hands-on experience exploiting vulnerabilities, this can only lead to better assessments for our clients.
I am hoping that some of these ideas are vetted prior to the PCI Community Meeting (see you there!), and for anyone at the meeting who participates in the discussions about this, let’s try to work together to make suggestions as to how to refine this requirement rather than slamming it (I got that out of my system by writing this blog post!).
What do you think of the PCI Security Standards Council's changes? Leave a comment below and let me know!