Re: How to learn PCI standards and become QSA

[Jason <securitux () gmail com>]

Well she doesn't need a QSA if she's level 2-4 merchant. Best to look
at the requirements on the PCI website and understand what she needs
to have done. If its just an external scan, have a look at QualysGuard
PCI. It's a VA / scanning tool with the questionnaire that she (or
you) can perform.

FYI your company has to be a QSA before you can. It costs $25,000 to
be a QSA company and a $10,000 annual maintenance. The $500 is just
for the training and certification of the individuals inside the
company. Plus there is an extensive application process.

Just go on the PCI website and look at the requirements there.

-J

On Mon, Jun 2, 2008 at 1:24 PM, Scott Race <srace () jdaarch com> wrote:
> Hello,
> I have a new client who accepts credit cards, both online and at her
> small office/store.  She holds credit cards #'s an unsecured .mdb
> database, and from my initial network audit she has a ton of other
> security related issues I need to address (weak passwords, firewall,
> encryption, physical access issues).
>
> Since she will need to become PCI complaint, a qualified QSA must scan
> her network (which I am not).  I have began studying the materials I
> have downloaded off the Security Council website (Security Audit
> procedures, self-assessment questionnaires).
>
> It appears all I need to do is to fill out an application and give them
> $500 yearly to become a QSA?  Is there any training you anyone can
> recommend?  I have a strong background in network security, and I'm able
> to at least understand the basics of the requirements (though it seems
> there is room for interpretation).  Currently I am just studying the
> requirements and applying them to what I already know.
>
> Thanks in advance, hope my question makes sense.  Basically I want to
> learn this stuff the correct way and make sure I am addressing
> everything.
>
>
> ~Scott