PCI QSA

This week I've been in Sydney on a training course to become a Qualified Security Assessor (QSA) for the Payment Cards Industry Data Security Standard (PCI-DSS).

The PCI-DSS is a standard jointly devised by VISA, Mastercard, American Express, JCB and Discover that details the security controls that must be in place to protect credit card data from electronic or paper theft. Any company that processes, stores or transmits credit card data is now obliged to be compliant with PCI-DSS, and any company that isn't compliant are at risk of losing their merchant status (ability to accept credit cards) and suffering a fine. As you can imagine, losing merchant status would mean end of business for many companies so this is a very big thing.

As a QSA I will be carrying out audits of the larger merchants and providing a Report on Compliance (ROC) to their aquiring bank to testify whether or not they comply. This is something I have to take very seriously because if I report that a company is compliant and then they get hacked, any fine incurred by the merchant could be passed on to my company if it can be proven that my report was innaccurate. So any company that choses me as their QSA should not expect to get an easy ride!

Only the larger merchants have to be audited by a QSA; smaller merchants can submit a completed Self-Assessment Questionnaire (SAQ) to their bank. However, if the bank is unhappy with the answers in the SAQ they will tell the merchant that they are non-compliant, as many merchants are now discovering.

It's not just merchants that I'll be able to audit either. The banks themselves, classed as Service Providers, and other companies that process payments up the chain from the merchants could also be subject to my microscope.

The requirements of PCI-DSS are quite stringent and for smaller merchants can be highly complex. In the last couple of years I've been helping companies implement compliance programs to meet the requirements of PCI-DSS and accurately complete their SAQ. Becoming a QSA takes me to the next level and authorises me to audit companies on behalf of the Payment Card Industry Security Standards Council. Although I'm a QSA I only retain my status as a QSA whilst working for a QSA Company (QSAC). Vica-versa the company I'm working for will only retain their QSAC status whilst it has QSA's in its employment, which at the moment is me and one other.

I'm not quite there yet, I've sat the course and met all the other requirements, and yesterday I sat the exam, from which I'll get the results in the next 2 weeks. I'm also waiting for my police checks to come back. I'm not expecting any problems (I'll have some explaining to do to my company if I've failed either of them!).

The course itself was quite interesting. I was already familiar with a lot of it as I've been working with the standard for the last 2 years but it did help clarify a lot of questions I had over the grey areas in the standard. I also learnt a few cool tricks such as how to find credit card numbers and a formula that can be applied to discover whether or not a number that you're looking at is in fact a valid credit card number or not. Quite a nice party trick (for a very geeky party!).

I'm on a 6-day hacking course in Canberra next week so that knowledge combined with my PCI knowledge should make me a valuable resource for the Russian Mafia. Just kidding!