EH-Net

Got a copy of this at Black Hat. If you're new to PCI, this is a great free resource. Granted you have to fill out their form, but there are worse fates.


Get it here:
http://www.qualys.com/forms/ebook/pcifordummies/

Don

Well the Qualsys folks are already spamming me, so this is a win / win situation for me.   I was always curious about who is doing PCI audits outside of the big five consulting companies.   

Just curious, but who are the big five consulting companies?

Thanks Don for the Link, sounds interesting. :)

Thanks for the link. Will have a read when I have some spare time.

Awesec, I have always that they were Andersen Consulting, Delloitte, KPMG, Price Waterhouse Cooper, and Ernst & Young.   They are the ones doing most of the audits out there.   I was told that only they can actually certify you as PCI compliant.   I am not even sure what that means.   

Shouldn't any QSA be able to certify someone as PCI compliant? Isn't that the point of the program? Why else would someone spend $25K (last I checked) to get the QSA qualification?

Bill, I have no idea.  I  was hoping to get a straight answer to that question, but I have been told conflicting stories.   I am going to read that PCI for Dummies book :)

Haha, oh well. Let me know what you find out - if it mentions it in that book (or I may just sign-up and grab a copy). It's been a while since I looked into PCI ASV/QSA stuff, but for the costs involved I figured that was the point.

Thanks Ketchup, didn't hear of all of them.

$25K sounds a little much for a certification. :O

Yeah, but if those wanting to be PCI compliant are required to be scanned by an ASV or analyzed by a QSA, then it makes sense as to why the prices are high (as you could certainly charge quite a bit for your services). Again, I haven't looked at PCI stuff in over a year, but that was the case last I had checked.

PCI... HIPA... ohhh how I hate you all.  I worked on a POS system earlier this month, they were full of viruses... running built in admin for all users... surfing the web.  I tried to encourage them to work on thier security, by mentioning some of the highlights out of PCI etc.  The whole... "if you are playing with my credit card, for gods sake don't have the system be the same one you check your yahoo mail and gossip sites on.  It'sa smoothy bar.  Hot girls, not hot on security though.  Meh.  Either way, yeah I guess it would be an interesting cert to get for testing for compliance etc.  Interesting if you can get a business to pay for it that is.  Heh.

g00d_4sh, I've been looking into this.   It seems like it's not that difficult to become a QSA.   There is a crap load of paperwork it seems, for the company.   You have to go through training, which is not expensive $1200, and pay a fee.

https://www.pcisecuritystandards.org/qsa_asv/become_qsa.shtml (https://www.pcisecuritystandards.org/qsa_asv/become_qsa.shtml)

Nice link/info Ketchup.  :)  Thanks for the info.

Aside from the $1250 fee for the exam, there is a 5yr. infosec experience requirement (or a CISSP/CISM/CISA).

Many of you may not have to worry about this, but what about those of us that don't have that 5yrs. of resume experience?

This also applies to qualifying for certs like the CISSP and others...but doesn't the X years of experience seem kind of arbitrary?  If you have the knowledge necessary to pass the exam, plus the endorsement, what does the time get you?

What are others experiences in this regard?

Thanks,
Justin

Justin,

Most of us that have an interest in security are closer than you realize to the minimum number of years of experience required to sit for these exams.  It's really how you structure you resume.   For example, if you are currently employed as Network Administrator, chances are you are responsible for at least some of Operations security, such as keeping servers patched, AntiVirus deployed, etc.  When you put all this together, you are closer than you think to the number of years required.  Remember, it's not experience in all domains of security, it's one or more.   

When you sit for these exams, you have to structure your resume in such a way that it emphasizes your security experience.  In the CISSP sense, actually indicate that you are responsible for a particular area of security on your resume. 

Regarding the PCI experience requirement, I actually think it should be more than 5 years.   As many of us have seen there are a ton of auditors out there who are not worth a dime.   I don't mean to sound pompous, but passing an exam just demonstrates that you can take tests.   Experience counts more than anything in my opinion.  Would you really want someone who simply passed an exam looking after your credit card information?  Don't get me wrong, the CISSP test is not easy, but in my opinion it doesn't prove that you can tell <insert retailer here> how to store financial and personal data. 

At first, I saw this and was like WOW, only $1,200?? Because I knew it was way more than that before....

Then I found the QSA document: QSA Requirements (https://www.pcisecuritystandards.org/pdfs/pci_dss_validation_requirements_for_qualified_security_assessors_QSAs_v1-1.pdf) and noticed 'Appendix D: QSA Fees' .. $20,000 in US. So I was off by $5K.. :P but still a good chunk of change.

I remembered the ASV being much cheaper, like $2,500 or something, but that document says the application/testing process is now $10,000. (ASV Requirements (https://www.pcisecuritystandards.org/pdfs/pci_dss_validation_requirements_for_approved_scanning_vendors_ASVs_v1-1.pdf)

So either way is not really cheap. :(

BillV

Perhaps the company you're working for can pick-up that cost though... which would certainly be nice :)

I was looking at this from the perspective of being my own company originally. There are other requirements, such as insurance coverage and such that you have to carry as well. When I was scoping it out, the insurance plan required to be an ASV was going to cost me roughly $2K-$3K/year.. can't remember exactly (though I'm sure I still have the quote sitting around somewhere...)

Yuck Bill... that doesn't sound like a fun prospect to me.  Then again... I've gotten soft having easy access to such things for a few years.  As you can understand heh.

@Ketchup:

Good points - career-wise I've been a systems engineer/admin for almost 5yrs, and 7 yrs before that in IT operations.  It didn't strike me to structure my resume in a way that would emphasize what each job experience gave me for each knowledge domain.

Also, I hear you on the dud PCI auditors.  We are currently going through our second PCI audit, and the auditor last year was clearly underqualified.  Lately I've been reading alot about mounting pressure on QSA's which would explain the higher quality we are seeing with this year's auditor.

I do agree that passing an exam doesn't say much for your ability to assess compliance with PCI, et al.  More years under the belt will certainly produce a more qualified auditor, provided those are true years of learning and practice.  (i.e.: 10 years of experience, not 1 yr. experience times 10).

Thanks,
Justin

@BillV:

Certainly not cheap at all...

Looking through some of the other requirements, such as the ability for PCI SSC to audit the QSA at any times during normal business hours, I wonder how many independent QSA's are out there...

Justin

Bill, thank you!  I just printed out that document on the printer at work and forgot it there.   I hadn't made it to the fees section.  This certainly is a bummer, the $20,000 initially and $10,000 annually for US organizations.   

The fee schedule is structured so that you almost have to have a few clients lined up before you even consider applying to be a QSA.  One bright side is that I work for a small consulting company, so we are used crap like this.   It would be nice to take a small piece from Delloitte or KPMG :D.   

I second Ketchup's statement. Although I am not eligible for some certs I am interested in, I think there is a reason why such an amount of experience is required. Theoretical knowledge is essential, though it does not mean much without practical one. Those years which are required in order to apply for such certs should enable one to take the time which is needed to earn experience - though it is possible that one could learn in one year more about security than someone who worked for three years in the industry and had hardly any tasks with security.
I also think that such certs as the ones mentioned already may not be the ones one should look at the beginning - there are many other certs which should help you with your knowledge and career. The other ones will come anyway. :)

No problem guys :)

I don't know how many times I read through each of those documents a while back. I had to make sure I got all the information and the details. QSA was definitely out of reach for me (self-funded anyway) but ASV (at the time) I thought was reasonable. For $10K now.. that's a stretch. But yeah, like Ketchup mentioned, you'd definitely have to have some clients lined up - whether it's PCI scanning, testing, whatever; you'd need some decent income coming in.

@jakinne: I'm not sure how many independents there are out there. I know on the PCI site they have a list of ASV's (or did). Not sure if they also have a list of QSA's available but I'd imagine they would.

BillV

More than that, I want someone who doesn't just have 5 years experience doing security, I want someone with 5+ years experience interacting with people. Not just typical help desk droids either. One thing that I haven't seen any exam (not that I've taken anything more than the CCNA or the LPI exams) is a focus on soft skills.

I've seen a couple of Sr Network Engineers who knew his stuff, but couldn't explain things to the business to make it happen. Best they could come up with was "because" arguments. Doesn't matter what kind of cert you have, you need to be able to talk to upper management and explain things in terms they can understand. Which is probably why it has such a high price tag. They probably can't think that things cheaper are worth it.