RE: Importance of being a QSA

["Erin Carroll" <amoeba () amoebazone com>]

3 shool,

Not sure if this helps in your particular case since I have no idea what
services you are offering your clients but I thought I'd make a
clarification: The QSA certification and the ASV certification are two
separate animals for PCI work. A QSA is more like an auditor for PCI
compliance. An ASV is a vendor qualified to perform quarterly external VA
against PCI in-scope systems. Unless your company is doing more than
VA/pen-testing then a QSA cert is probably not worth the investment in time,
training, and dedicated staff.

QSA requires trained and certified auditors as part of your company staff
for PCI security controls and compliance, on-site personnel during the scope
of the engagement/audit, and encompasses things like selecting
systems/system components where audit sampling will take place. If your
company is offering those services as part of your core, then a QSA may be
worthwhile. However, if you are only performing VA/pen-testing (mostly
remote, some on-site, etc.), then you might consider becoming an ASV
instead. This would allow you to tackle the quarterly PCI VA for your
clients and cover their PCI butts. Most of the ASV requirements revolve
around presentation of the VA data and not necessarily the tech/tools or
methodology (aside from Network/OS/application-based testing listed as
required realms to test).

It should be noted that per PCI 1.1 guidelines (section 11.2), ASV's are
only required for the quarterly VA tests to meet PCI reporting compliance.
The PCI annual penetration testing requirement has no such stipulation
(section 11.3) and can be performed by any company, ASV or not.

Hope that helps some. Maybe you'll get some more leeway with your client on
this if you've had a prior happy working relationship and they get the
nuances explained to them. A QSA in no way guarantees quality security
testing in the way we on this list would think of as thorough.... it's like
SOX auditors, a necessary evil :)


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 
 


> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of 3 shool
> Sent: Tuesday, November 28, 2006 3:48 AM
> To: pen-test () securityfocus com
> Subject: Importance of being a QSA
>
> Hi All,
>
> We have been doing Penetration tests for more than 4 years for our
> customers, including financial and e-commernce segments. One of our
> customer came up with a requirement that they would get PenTest
> services ONLY from QSA (Qualified Security Assessor) by PCI, as part of
> company policy.
>
> We have been delivering fantastic results for them over the years and
> they too haven't had any security breaches during this period. I have
> heard about this in the mailing list last year but just wanted to know
> how important it is to be a QSA for companies like us who have been
> doing PenTests since a good period.
>
> Is it just a marketing strategy or is it something more than OSSTMM or
> other menthodologies that we don't account for in our tests?
>
> THNX
>
> -----------------------------------------------------------------------
> -
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701
> 600000008bOW
> -----------------------------------------------------------------------
> -


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------