Since the formation of Payment Card Industry Data Security Standards back in 2004, PCI DSS has setup its requirement for financial service providers and large merchants to use QSAs to carry out onsite assessments and to check on Compliance and security. QSA stands for Qualified Security Assessors; it is a designation awarded to individuals by the PCI Security Standards Council, whom it finds qualifying to execute consulting services and PCI assessments.
Recently, PCI DSS has expanded to take in its guidelines for training QSAs and some other advancement. Still QSAs and the services they provide do vary a lot. With assessors, the thoroughness, methodologies, technical skills and some other areas differ a lot.
The PCI DSS V2.0
The PCI DSS v2.0 released on 30th October includes number of classifications and further areas of guidance for assessments. The standard according to new version states that the first step of any PCI DSS assess is to describe the scope of assessment, by pointing out clear maps (locations and flows) of cardholder information within a system.
A lot of organizations are not aware about every single location where the card holder information is situated in their systems. A QSA must have understanding about application data handling, network architecture, operating system security, storage and database technology, and other business and IT functions in order to carry out those assessments.
A new guidance has also been added in the PCI DSS v2.0 which is its grant of using virtualization technologies and how to assess them. As many organizations are looking to handle cost efficiencies savings through implementation of application and server virtualization, it is a must for the QSAs to know more about this technology and how it differs from the traditional server/client technologies they are using for assessment.
Through virtualization numerous server instances can be developed and run from a single physical system. This has been considered as non compliant by many QSAs in the past. PCI v2.0 Section 2.2.1 permits the use of virtualization; but makes it clear to run only one function on a single virtual server like one machine will run database services, while another will be used for running web services. So it is important for the QSAs to know about virtualization specific controls, virtual network segmentation and the IT controls which come in use with the virtualization platforms.
Choosing a QSA
Once you select a QSA, the relationship might develop into a long one. It is necessary for the organizations to look for a QSA that knows about the same technology that is needed to be audited. In order to hire a QSA, the companies must gather information about business requirements; develop a detailed interview about past experiences (of QSA) and must choose a time for onsite review and planning or meeting. Make sure that the individual QSA you spoke and work with for carrying out collection of data and assessment and who will eventually be coming onsite for managing assessment are the same.
The QSA firm will have great effects on your compliance and security for a long time. Making the right decision regarding QSA selection will turn out in great advantage for both fulfilling the PCI DSS Compliance requirements as well as making your security system for a longer period of time.