After spending over 30 years in IT, with a great deal of time spent in security, I find myself with more than a few credentials closer to this end of my career than when I first started. One of my greater accomplishments is my certification as a Payment Card Industry Security Standards Council (PCI SSC) Qualified Security Assessor (QSA). Becoming a QSA and maintaining the certification are no small feat. In fact, there is a long list of requirements one must check in order to qualify.
The PCI SSC developed a Data Security Standard (PCI DSS) which is a set of requirements for cardholder data protection.
As per the SSC’s “Qualification Requirements for Qualified Security Assessors v. 3.0” document “When implemented properly, PCI DSS requirements provide a well-aimed defense for merchants and service providers against data exposure and compromise. As a result, assessment of merchants and service providers for compliance with PCI DSS requirements has become increasingly critical in today’s environment and is key to the success of the PCI DSS.” The “assessment” is carried out by a QSA. For those assessing compliance to PCI DSS, certifying as a QSA is the entry point on a path to many other certifications the PCI SSC maintain, including the likes of a PCI Forensics Investigator (PFI) or a Qualified Security Assessor for Point-to-Point Encryption (QSA P2PE).
Steps to qualifying as a certified QSA.
To qualify as a QSA you need to have at least the following under your belt (taken again from the Qualification Requirements for Qualified Security Assessors (QSA) v. 3.0):
“Each QSA Employee performing or managing PCI SSC Assessments must satisfy the following requirements:
- Pass background checks required per Section 4.2.
- Possess sufficient information security knowledge and experience to conduct technically complex security assessments.
- Possess a minimum of one year of experience in each of the following information security disciplines (experience may be acquired concurrently - for example, if the role involved experience in multiple disciplines at the same time):
- Application security
- Information systems security
- Network security
- Possess a minimum of one year of experience in each of the following audit/ assessment disciplines (experience may be acquired concurrently, for example, if the role involved experience in multiple disciplines at the same time):
- IT security auditing
- Information security risk assessment or risk management
- Possess at least one of the following accredited, industry-recognized professional certifications from each list.
- List A – Information Security
- (ISC) 2 Certified Information System Security Professional (CISSP)
- ISACA Certified Information Security Manager (CISM)
- Certified ISO 27001 Lead Implementer
- List B - Audit
- ISACA Certified Information Systems Auditor (CISA)
- GIAC Systems and Network Auditor (GSNA)
- Certified ISO 27001, Lead Auditor, Internal Auditor
- IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor)
- IIA Certified Internal Auditor (CIA)
- List A – Information Security
- Possess knowledge about the PCI DSS and all applicable documents on the PCI SSC Website.
- Attend annual QSA Employee training provided by PCI SSC, and legitimately pass, of his or her own accord without any unauthorized assistance, all examinations conducted as part of training. If a QSA Employee fails to pass any exam in connection with such training, the QSA Employee must no longer lead or manage any PCI SSC Assessment until successfully passing the exam.
- Adhere to the PCI SSC Code of Professional Responsibility.”
There are a few necessary independent certifications that are required as a pre-requisite to becoming a QSA, each with their own certification requirements and Continuing Professional Education (CPEs) requirements. It can be challenging to keep track of a minimum of 3 certifications and their CPE’s to continue as a QSA.
Let’s say you took the ISACA Certified Information Security Manager (CISM) from List A above as one of your qualifying certifications.
For that certification you would need a minimum of 5-years of professional information systems auditing, control or security work experience. You would then need to put in some serious study hours to pass a 150 question, 4 hour exam. But it doesn’t end there. A total of 120 CPEs (generally measured on participation hours) will be required over the 3-year certification cycle. The same is true for most qualifying certifications, including the QSA certification itself.
To be a QSA, at a minimum, you would need to track and report up to 360 CPE’s across 3 certifications if there are no synergies between the CPEs you do and the CPEs required across the 3 certifications (which there generally tends to be). However, you may be in a position like myself and possess a qualification that has very little in the way of synergies to your other CPE requirements which adds to the load. In my case I treasure my PMP (Project Management Institute Project Management Professional) certification which is very useful in managing compliance programmes, but also comes with its own CPE requirements.
At SecureTrust, we don’t only help our QSA’s maintain their certifications, we encourage our teams to grow with new certifications to challenge their skills in the cyber security arena. Those who achieve them are not only applauded but rewarded, as to encourage the right view of certifications.
It should be noted that becoming a QSA also requires you to attend an in-person course and complete an exam. If you were to wait for a course and exam to be available in your area, it may take a longer period of time to become qualified. Because of that, SecureTrust sends our QSAs to the course and exam as soon as it is needed. That means my team alone (from all over Asia-Pacific) has attended courses in Florida, Melbourne, South Africa and Tokyo in an effort to help them become qualified as soon as they join the team. All of this takes place after they have completed a prequalifying course and exam online. Your position on the in-person course is dependent on you passing the pre-qualifying exam.
The list of requirements to become a QSA is a long one.
Are you exhausted yet? If not, the annual online course and re-qualification exam will make sure of it. And before you get to participate in any of that, I personally look for security staff who have not only assessed security controls in the past but have also built them. After all, how do you assess what you haven’t built or done yourself in the past? That’s more of a personal hiring requirement of mine, but one that you will find makes for the better assessor and consultant. And as PCI 4.0 comes to the forefront in the years ahead, that level of skillset will become more valuable. Such a consultant/assessor can help with remediation solutions (for compliance) that are based on real world experience.
For companies seeking the assessing services of a QSA, there is a level of confidence in knowing the background of your QSA, much like knowing what your mechanic knows or the level of experience of a doctor.
If you have ever completed multiple lengthy exams, it becomes clear that you need to be passionate about the cyber security field to become a QSA. Having a team of such employees makes my job an interesting and enjoyable one.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Brian Odian is the Director of Asia Pacific Global Compliance & Risk Services Consulting at SecureTrust, based in Sydney. He has over 32 years IT industry experience including roles as a Security Delivery Manager and Global Security and Transformation Lead for large worldwide information technology corporations. During his career he has been across a wide range of industries and roles, including global management experience across multiple cultures and business environments.
Experienced in running global security programs, and some of the largest regional projects in Asia Pacific, Brian brings a mix of project management, security and compliance credentials together (CISM, CRISC,PMP, QSA, ISO27001 IA) to achieve the best results in delivering security solutions and compliance programs. He has been published by the Project Management Institute (PMI) and MSSP Alert along with conducting webinars on the General Data Protection Regulation (GDPR) and Compliance Intelligence. He has also presented on PCI Compliance for some of the “big four” banks and the Customer Owned Banking Association (COBA).