PCI Compliance: The QSA's Perspective

Interview with Peter Spier of Fortrex Technologies

By , April 2, 2010.
PCI Compliance: The QSA's Perspective


See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

ver the past year or so, since the Heartland Payment Systems breach, we've heard a lot about the Payment Card Industry Data Security Standard (PCI DSS). What does 'PCI compliant' mean? Can a PCI compliant organization be breached? What's the role of the Qualified Security Assessor (QSA)?

Peter Spier, Senior Risk Management Consultant with Fortrex Technologies, has written a recent guest blog on PCI compliance, and in an exclusive interview offers insight on:

  • The QSA's role;
  • What's most misunderstood about PCI compliance;
  • How organizations can maximize their compliance efforts.

Spier is President of the ISACA Western New York Chapter and a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland. Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience, has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications; among other credentials.

TOM FIELD: In terms of PCI, what is the QSA's perspective?

Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are getting the unique perspective on PCI today from Peter Spier, Senior Risk Management Consultant with Fortrex Technologies.

Peter, thanks so much for joining me.

PETER SPIER: Glad to be here, Tom. Thank you for having me.

FIELD: Now you have just written a guest blog for us about this topic, but maybe now you can take just a minute to tell us a little bit about yourself and your background.

SPIER: I would be glad to. I was a graduate of Syracuse University School of Information Studies, and I am President of the ISACA Western New York Chapter. I am, as you mentioned, currently a Senior Risk Management Consultant with Fortrex Technologies and the QSA, so I do quite a bit of living and breathing PCI.

FIELD: Well, that's great. Now as I mentioned up top you have just written a guest blog on the topic; what would you say is the key point you wanted to get across in this piece you wrote?

SPIER: You have asked a very good question. I think that one of the things that is often confused about PCI post-Heartland, Hannaford, and TJX and all this, is that perhaps this is a weakness or deficiency in the PCI DSS standard or in the USA validation practices. I felt that it was an important point to mention that there may be shared responsibility all around, but I don't believe that it is the inherent weakness in the PCI standard itself.

FIELD: Well, you make a good point because particularly since the Heartland case there has been a lot of talk about 'What is PCI compliance, what is the role of the QSA, can I be compliant and still be breached?' Given all of this discussion, what do you find to be most misunderstood by people when they are talking about this?

SPIER: I think that people often forget that the giving a report on client and the onsite assessment itself - it is a point in time, and it is beginning to look at a sample of systems and processes. With this sampling methodology, QSA is intending to utilize the standards and the requirements to interpret compliance. However, it really is the responsibility of the merchant and the service provider to maintain their compliance on all of their systems all of the time throughout the year.

So really when we come back in a subsequent year to do an assessment, there shouldn't really be a large amount of effort to get ready for the assessment; instead that compliance should have been maintained.

FIELD: Now as you know, there has been an awful lot of talk about the QSA's role as well and some criticism in the conversation. What do you find as a QSA is most misunderstood about what you do?

SPIER: I think that it may be something, at least in the press, which is usually interpreted as the QSA being somewhat either a part of the PCI Council or influential over the standards themselves. I like to think of my role as a QSA as in being the advocate for compliance for our service providers and merchants that we are assessing.

I believe that we very much want to see them achieve their compliance, however it needs to be within that baseline standard of the PCI DSS requirements, and certainly they need to be able to exhibit and demonstrate that compliance 100 percent.

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Security for the Borderless Workplace

At CA Technologies, mobile security is not just a solution for customers; it's a practice that IT...

Latest Tweets and Mentions

ARTICLE Security for the Borderless Workplace

At CA Technologies, mobile security is not just a solution for customers; it's a practice that IT...

The ISMG Network