Thursday, June 11, 2009

Using QSAs on Staff for Security Assessments

David Taylor, founder of the PCI Knowledge Base, has written an inciteful guest editorial for Storefront Backtalk on the benefits of using Qualified Security Assessors (QSAs) who are staff employees (at large companies, for the most part), rather than farming the job out to third parties.

He has found that "a PCI assessment by the Internal Audit department may be tougher than using a QSA," and it’s "less likely to result in a mandate to purchase security products and services that do not match the risk management profile of the merchant."

He sees a growing number of companies using their own QSAs, which will ultimately lead to a “forking” of the QSA industry, "with some of the best companies adding more risk management, security strategy consulting, and 'Beyond PCI' technology focus to their practices. For example: Assessing the effectiveness of tokenization, or end-to-end encryption, or secure cloud computing will require skills far beyond the checklist mentality, and really help differentiate the 'cream' of the QSA companies."

This is a must-read!

No comments:

Web Analytics