On the topic of independence and thoroughness, the SSC is apparently suggesting that it is acceptable to have an individual QSA:
- Perform the assessment.
- Remediate the issues in the environment.
- Re-assess the environment in subsequent years.
In my opinion, you may as well have the merchant or service provider simply self-assess at this point, because the QSA's objectivity is all but gone.
Anyone who has ever gone through QSA training and has spent any time doing work in the infosec space will tell you that the training materials are fairly simple, and the test is a walk in the park.
In fact most QSAs will tell you that they haven't learned anything substantially new by virtue of becoming a QSA. For the most part, the certification only enables them be the examiner of record on paper.
In other words, no special knowledge required, zero objectivity, and lots of multi-year managed service contracts between QSAs and merchants.
Its not hard to see why things like Heartland and RBS are happening. The ROC has become less honest than the tax return.
No comments:
Post a Comment