PCI QSA Re-Certification – 2011 Edition

Tuesday, May 10, 2011

PCI Guru


It is that time of the year, time for the PCI Guru to take the PCI SSC’s QSA re-certification training and test.  As with last year, the process is all online.

The process started this year with our Key Contact person emailing me the invoice for the training.  Since the PCI SSC is creating individual invoices for each QSA to be trained, our firm is requiring the invoice to be paid by the QSA and then expensed through the firm’s expense reporting system. 

Why the PCI SSC cannot just issue a single invoice for a firm and get it over with, I just do not know.  I had to fax the invoice into the PCI SSC with my credit card information.  They make it very clear that they have a secure fax server. 

I will say this, I faxed in the invoice on Monday and by Tuesday I had my logon credentials for the training and examination.  So the registration process is very quick.

The PCI SSC appears to have contracted with a new CBT provider that has better capabilities than last year’s provider.  The site is simple but functional and easy to navigate. 

I did have some issues with getting the training content to process properly.  From time to time, I would get messages indicating that there was a “bad URL” supplied.  This appeared to be related to timeout issues as I could click again on the content and it would eventually be displayed and played.

The training is broken into four modules.  The first module covers the usual topics related to the PCI SSC, the various PCI standards, card processing and other general topics.  The second module covers an overview of the PA-DSS, roles and responsibilities of the various PCI players, validation requirements and overview of the PCI SSC’s assessor quality management (AQM) program. 

The third module is all about the PCI DSS v2.0.  The fourth and final module covers miscellaneous topics such as virtualization, documentation required for Report Of Compliance, cardholder data discovery, scoping the cardholder data environment and compensating controls. 

There are quizzes at the end of each module to test how well your retention is on the material covered.  Each quiz is around eight questions and the questions seem to be representative of what is on the examination.  According to the documentation on the Web site, this material takes around six and a half hours to cover.

The examination is comprised of 60 true/false and multiple choice questions.  You are given four hours to complete the examination and, according to the documentation, you can pause the examination any number of times and come back at a later time to complete it. 

You only get one chance to go through the examination, so being able to pause it is nice to have available should you get an interruption.  I am not sure whether you can skip questions and come back to them later.  It took me about 45 minutes to go through the test and I had some interruptions.

I liked the new Web site but was frustrated at times that content was not always available.  I am not positive if the problem was at my end or the CBT provider’s.  But since I was on a couple of different networks while I went through the content, I am guessing the problem was with the CBT provider as I got the content availability errors on all of the networks I used.

As with last year, the training slide decks are not available for download.  I just do not understand why the PCI SSC does not make the slides and notes available as one or more PDFs. 

Not only would it be useful for offline review, but it would also be nice to have as a reference.  I am guessing that they feel that people who have the training material available longer than others have a better chance at passing the examination.

Of the four modules, module three is probably the best of the lot because of its discussion of the PCI DSS.  Each of the 12 requirements is organized around:

  • The general concept of the requirement;
  • Understanding the requirement; and
  • Assessor recommendations.

The general concept of the requirement is just a re-iteration of what is in the preamble of the requirement as written in the PCI DSS.  The Understanding discussion goes into a more detailed discussion of the various high points of the requirement (i.e., the X.1, X.2, X.3, etc. level). 

Not only are these sub-requirements generally discussed, but there is also a discussion about why these sub-requirements are necessary.  These first two items are very useful for training clients about why the PCI DSS process is necessary.

The real value though is with the assessor recommendations.  For the first time, the PCI SSC goes on the record and states, in general terms, what types of observations, interviews and documentation need to be obtained and reviewed by the QSA to ensure the requirements are satisfied. 

Based on some of the Reports On Compliance I have seen lately, I think a lot of QSAs are going to find out that what they are currently doing for fieldwork is not acceptable.  This information would also go a long way to helping clients appreciate why a Report On Compliance takes the amount of time and money it takes.

The examination is similar to last year’s re-certification examination – a variety of true/false and multiple choice questions.  The questions appear to be written to focus the QSA on black and white issues and to avoid any nuances. 

For example, I had a true/false question that stated, “An application that processes, stores or transmits cardholder data sold to a single merchant by a software company must be PA –DSS certified.”  Now, I know what they are trying to get at with this question and the answer is false.  However, the real answer is not so simple and depends on the software vendor. 

If we are talking MICROS as the vendor, there is a high likelihood that the software will be resold to more than just one organization, so the software should go through the PA-DSS certification process. 

Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified.

In the end, the good news, or bad news for some of you, is that I was re-certified to be a QSA for another year.

Cross-posted from PCI Guru

Possibly Related Articles:
Information Security
Certification PCI DSS Compliance Security Audits QSA PCI SSC
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.