![]() ![]() ![]() ![]() In addition, Dell SecureWorks is proposing that the council should measure QSAs along practical as well as theoretical lines and should replace the current qualification processes with a much more rigorous screening process carried out in an interview format. ![]() “If you are a retailer that competes with WalMart, you should look for a QSAC with that type of vertical experience….If they don’t have experience in your industry, maybe you shouldn’t hire them because we have seen QSAs apply the standards vigorously and not listen enough to how the business works….Sometimes are agnostic to the fact that businesses need to make money”, Coburn observed. Second, QSACs should identify their sector experience, so that customers can know which QSACs are appropriate for their industry. First QSACs should be able to demonstrate that they have capabilities across all areas covered by the PCI DSS: network security, application security, and procedural aspects of DSS, such as information security policy. The areas where QSAs may fall short include lack of documentation in a series of reports, failure to meet business expectations with a fully operational internal QA program, or a failure to renew appropriate insurance coverage or other requirements addressed within the validation requirements.Ĭoburn said the council stresses that it takes a pragmatic risk-management approach to card holder data security, but it does not train QSAs on being pragmatic about applying the standards to a particular organization.ĭell SecureWorks is proposing that the PCI council adopt a new “gold standard” for QSA certification. On its website, PCI notes that it has a “clear-cut program to help all QSAs uphold a strong profile by following a process that ensures their consistency, credibility, competency and ethics.” Those QSAs who fail to meet PCI’s standard in a particular area or areas are placed in a remediation program. This is the kind of feedback we are hearing”, Coburn said. “If there are two QSAs in a room, they will never agree on the same requirement. For example, the guidance provided by the QSA is often inconsistent. The Dell SecureWorks executive explained that many organizations have been dissatisfied with the QSACs and QSAs they have used to validate PCI DSS compliance. But on the other hand it also touches on process controls on a very broad and high level, such as you should have an information security policy in place.” “It is very specific about the way you document firewall rule sets, for example, or the way you apply file integrity monitoring. PCI DSS is “esoteric” in some areas and quite “broad” in others, Coburn noted. It is very difficult to find individuals who are masters in all of the areas in which the standard is concerned”, Coburn told Infosecurity. The standard “covers a very broad spectrum of technical and procedural security controls that anyone individual QSA struggles to get his or her head around. The council stressed that QSA certification “indicate only that the applicable QSA has successfully met all PCI Security Standards Council requirements to perform PCI data security assessments, and the PCI Security Standards Council does not endorse these security solution providers or their business processes or practices.”Ĭoburn said that the main issue that he has with PCI DSS is that it tries to do too much. The PCI council explained on its website that QSA companies (QSACs) are organizations that have been qualified by the council to have their employees assess compliance with the PCI DSS standard for payment card data security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |