PCI SSC has announced changes to the QSA Qualification Requirements lately. The supplementary document dated June 2015 reads:
“The requirement to possess at least one industry-recognized certification is effective as of January 1, 2016 for new QSA Employees. For QSA Employees qualified and added to the search tool prior to January 1, 2016, this requirement is effective July 1, 2016 (for example, upon annual requalification after June 30, 2016).”
What industry-recognized certification are acceptable?
There are two lists published by the SSC: A and B (see below).
Currently, you can pick one certification from either List A OR List B. Although, the SSC recommends to have one from each list, which at some point may turn into the requirement.
Personally, I think the SSC tries to raise the bar, who conducts PCI DSS assessments and performs QA. It may be also an effective technique to filter out non-technical individuals, which in result may improve the quality of Report on Compliance and recommendations provided to merchants and service providers. Where, previously the SSC relied on quite ambiguous “5 years IT Security experience”; it has effectively outsourced the background check processes to ISC2, ISACA and other certification bodies, which already perform thorough background checks on all candidates.
Note. In order to obtain CISSP, CISM or CISA, you need to present a minimum of five years of direct full-time security work experience, which is vetted upon completion of the exam.
List A – Information Security
- Certified Information System Security Professional (CISSP)
- Certified Information Security Manager (CISM)
List B – Audit
- Certified Information Systems Auditor (CISA)
- GIAC Systems and Network Auditor (GSNA)
- Certified ISO 27001, Lead Auditor, Internal Auditor
- International Register of Certificated Auditors (IRCA)
- Information Security Management System (ISMS) Auditor
- Certified Internal Auditor (CIA)