Do security leaders need to worry about the end of the QSA program?

Whether you need to comply with PCI or not, recent changes to the QSA program signal the need for security leaders to engage in two important discussions

worried man

Is the PCI Council phasing out the role of the Qualified Security Assessor (QSA)?

That’s the question Branden Williams (@BrandenWilliams) posed in this post (link) after reviewing the changes to the Qualification Requirements for Qualified Security Assessors (QSAs). He explores some potential impacts of the changes worth considering.

Based on Branden’s assessment, I see two areas of interest for security leaders:

  • Potential QSA changes signals the need for internal shifts
  • Asking if the value of certifications just increased

Why a change in the QSA program might cause a shift in your approach

As noted in the recent slideshow (3 experts teach you how to properly scope your PCI assessment) on scoping your PCI assessment, like it or not, it’s a globally recognized standard. Regardless of your need for a PCI assessment, the practice of scoping your systems and understanding your environment is essential (if not challenging).

But a recent change to the QSA program signals a potential secondary need: offload PCI processing to someone else.


From Branden’s post:

They still require that all assessment results and related materials can be made available to the Council upon request (apparently, in a non-redacted format, so I hope the Council has similar evidence handling policies that QSAs are required to have), and that all materials are maintained for three years. There is probably no better reason than this to find ways to remove PCI DSS from your plate.

Think about how this impacts your current assessment process and overall risk profile. Broader, as Branden suggests, this is the opportunity to open a conversation about the need to reduce or remove PCI (and other sensitive information) from your environment.

While the immediate impact of this shift is felt by the QSAs, consider the longer term impact and explore technology and other solutions that reduce your PCI scope now.

Did the value of certification just increase?

What goes better with PCI than a discussion about security certifications?

Branden picked up on an interesting change:

Probably the most significant change that I saw is candidates must now have a certain kind of security or audit certification. Today, it says you must have at least ONE from the list of eight, but they indicate that they may require one from each group in the future.

Does this mean the value of security certifications just went up in the PCI world? What impact, if any, does that have on you and your team? Some organizations expect some (or all) of their team to have comparable industry certifications to their solution providers.

Does the shift in certification requirements impact you?

The end of the QSA program?

For certain, these changes don’t spell the end of the QSA program.

Instead, they signal the desire of the council to adapt to the shifting nature of their program. In turn, that signals an opportunity for security leaders to take note, consider, and discuss the potential impacts to them.

Minimally, consider what steps you might take over the coming months to better prepare your organization for the change signaled over the horizon.

What do you think?

Do these changes signal the need for you to adapt? Share your thoughts and experiences with me on Twitter (@catalyst) or in the comments below.

New! Download the State of Cybercrime 2017 report