Audits for PCI Compliance

5 pts.
IT careers
PCI compliance
PCI Compliance and Acquisitions
PCI Compliance Careers
How does one become credited to do audits for PCI compliance? What are the steps to be followed? Does anyone know or understand the cost? IS it a comp-any or an individual that gets a certificated or both? What if the employees leaves does the company stay certified?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Are you referring to becoming a QSA? If so, here is my answer garnered from a recent interview with CoalFire President Rick Dakin:

What does it take to become a certified QSA?
A QSA must work for a QSA company. The requirements for QSA companies include registration (with fees), $2 million of professional liability insurance, and compliance to the rules published by the PCI Security Standards Council (PCI SSC). All QSA companies are subject to review by the council.

Once a QSA company is established, an individual QSA must first obtain a security industry certification like a CISSP or CISA certification, 3 or more years of industry experience and hands-on PCI experience supporting another certified QSA. All QSA participants must then pass a background check and complete formal PCI training and certification testing.

At Coalfire, we estimate that each individual QSA costs us $7,500 per year to maintain industry certification, registration fees and insurance in addition to 50+ hours per year in training or off-site testing. In short, it is a significant commitment by both the QSA and the QSA company to provide certified services in the industry.

Merchants and software developers are often confused by the various levels of advice available to them. Some companies do not complete the rigorous QSA training, testing, certification or peer reviews that guide our processes and methods to determine compliance to PCI standards. Accordingly, the advice provided by a certified QSA may differ from advice provided by an industry observer who is not subject to the QSA process.

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Cybernorris
    Unless the rules have changed, it is not possible for an individual to become QSA certified unless employeed by a QSA company. Unfortunately most QSA companies when hiring don't want to invest in a non-QSA certified individual, thus it is very hard to get hired to be a QSA without prior certification and experience. I petitioned multiple times to take the QSA class and test in order to become employable as a QSA.
    50 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: