Free eBook - PCI For Dummies by Qualys

[BillV]

g00d_4sh, I've been looking into this.   It seems like it's not that difficult to become a QSA.   There is a crap load of paperwork it seems, for the company.   You have to go through training, which is not expensive $1200, and pay a fee.

https://www.pcisecuritystandards.org/qsa_asv/become_qsa.shtml

At first, I saw this and was like WOW, only $1,200?? Because I knew it was way more than that before....

Then I found the QSA document: QSA Requirements and noticed 'Appendix D: QSA Fees' .. $20,000 in US. So I was off by $5K.. but still a good chunk of change.

I remembered the ASV being much cheaper, like $2,500 or something, but that document says the application/testing process is now $10,000. (ASV Requirements

So either way is not really cheap.

BillV

[BillV]

Perhaps the company you're working for can pick-up that cost though... which would certainly be nice

I was looking at this from the perspective of being my own company originally. There are other requirements, such as insurance coverage and such that you have to carry as well. When I was scoping it out, the insurance plan required to be an ASV was going to cost me roughly $2K-$3K/year.. can't remember exactly (though I'm sure I still have the quote sitting around somewhere...)

[g00d_4sh]

Yuck Bill... that doesn't sound like a fun prospect to me.  Then again... I've gotten soft having easy access to such things for a few years.  As you can understand heh.

[jakinne]

@Ketchup:

Good points - career-wise I've been a systems engineer/admin for almost 5yrs, and 7 yrs before that in IT operations.  It didn't strike me to structure my resume in a way that would emphasize what each job experience gave me for each knowledge domain.

Also, I hear you on the dud PCI auditors.  We are currently going through our second PCI audit, and the auditor last year was clearly underqualified.  Lately I've been reading alot about mounting pressure on QSA's which would explain the higher quality we are seeing with this year's auditor.

I do agree that passing an exam doesn't say much for your ability to assess compliance with PCI, et al.  More years under the belt will certainly produce a more qualified auditor, provided those are true years of learning and practice.  (i.e.: 10 years of experience, not 1 yr. experience times 10).

Thanks,
Justin

[jakinne]

@BillV:

Certainly not cheap at all...

Looking through some of the other requirements, such as the ability for PCI SSC to audit the QSA at any times during normal business hours, I wonder how many independent QSA's are out there...

Justin

[Ketchup]

Bill, thank you!  I just printed out that document on the printer at work and forgot it there.   I hadn't made it to the fees section.  This certainly is a bummer, the $20,000 initially and $10,000 annually for US organizations.   

The fee schedule is structured so that you almost have to have a few clients lined up before you even consider applying to be a QSA.  One bright side is that I work for a small consulting company, so we are used crap like this.   It would be nice to take a small piece from Delloitte or KPMG .   

[UNIX]

I second Ketchup's statement. Although I am not eligible for some certs I am interested in, I think there is a reason why such an amount of experience is required. Theoretical knowledge is essential, though it does not mean much without practical one. Those years which are required in order to apply for such certs should enable one to take the time which is needed to earn experience - though it is possible that one could learn in one year more about security than someone who worked for three years in the industry and had hardly any tasks with security.
I also think that such certs as the ones mentioned already may not be the ones one should look at the beginning - there are many other certs which should help you with your knowledge and career. The other ones will come anyway.

[BillV]

No problem guys

I don't know how many times I read through each of those documents a while back. I had to make sure I got all the information and the details. QSA was definitely out of reach for me (self-funded anyway) but ASV (at the time) I thought was reasonable. For $10K now.. that's a stretch. But yeah, like Ketchup mentioned, you'd definitely have to have some clients lined up - whether it's PCI scanning, testing, whatever; you'd need some decent income coming in.

@jakinne: I'm not sure how many independents there are out there. I know on the PCI site they have a list of ASV's (or did). Not sure if they also have a list of QSA's available but I'd imagine they would.

BillV

[chrisj]

Regarding the PCI experience requirement, I actually think it should be more than 5 years.   As many of us have seen there are a ton of auditors out there who are not worth a dime.   I don't mean to sound pompous, but passing an exam just demonstrates that you can take tests.   Experience counts more than anything in my opinion. 

More than that, I want someone who doesn't just have 5 years experience doing security, I want someone with 5+ years experience interacting with people. Not just typical help desk droids either. One thing that I haven't seen any exam (not that I've taken anything more than the CCNA or the LPI exams) is a focus on soft skills.

I've seen a couple of Sr Network Engineers who knew his stuff, but couldn't explain things to the business to make it happen. Best they could come up with was "because" arguments. Doesn't matter what kind of cert you have, you need to be able to talk to upper management and explain things in terms they can understand. Which is probably why it has such a high price tag. They probably can't think that things cheaper are worth it.