Open in app

Sign in

Write

Sign in

cipherlex.com | Cyber Security Consulting

How to become a Qualified Security Assessor (QSA)? — A Practical Guide

Jake Eliasz

--

PCI DSS is becoming increasingly important as businesses globally recognize the critical need to protect payment card data, comply with legal and regulatory requirements, maintain consumer trust, and mitigate financial risks associated with data breaches.

With its growing importance, more individuals from various backgrounds are considering pursuing a career in Security Auditing and often wonder what it takes to become a Qualified Security Assessor (QSA).

This article summarizes all formal requirements and provides insights and thoughts from a QSA, who has worked in the industry for nearly two decades.

Core Requirements

The QSA Program is managed by the PCI Security Standards Council (PCI SSC). There are certain core requirements each QSA candidate needs to meet to be fully licenced to conduct formal PCI DSS assessments, such as:

  1. the QSA candidate must be employed by a QSA Company.
  2. the QSA candidate possesses sufficient information security knowledge and experience to conduct technically complex security assessments.
  3. the QSA candidate possesses a minimum of one year of experience in each of the following information security disciplines: Application security, Information systems security and Network security.
  4. the QSA candidate possesses a minimum of one year of experience in each of the following audit/ assessment disciplines: IT security auditing, Information security risk assessment or risk management.
  5. the QSA candidate possesses at least one of the following accredited, industry-recognized professional certifications from each list: List A — Information Security and List B — Audit. For the full list of eligible professional certifications, please review the QSA Program Guide.
  6. the QSA candidate attends annual QSA Employee training provided by PCI SSC, and passes all examinations conducted as part of training.

There is a lot to take in here, so let’s clarify it further and dive deeper into #5. The QSA Program mandates two industry-recognized professional certifications. As an example to illustrate the expertise required, I’ve selected two widely recognised certifications:

  • CISSP — Certified Information Systems Security Professional — (List A)
  • CISA — Certified Information Systems Auditor — (List B)

Both CISSP and CISA certifications require candidates to have a minimum of five years of professional experience in multiple security domains. Therefore on top of what PCI SSC mandates in terms of its minimum years of experience, there is also a separate mandate from the certification bodies, such as ISC2 and ISACA, and it is usually set to five years of experience.

Look, the more exposure one has to a range of technologies, the better Security Auditor one becomes. It is much easier to assess and find gaps in systems, the QSA is familiar with. Some of the best QSAs, I’ve worked with had plenty of experience in designing, deploying and managing IT systems in previous roles.

Five (5) years of technical expertise. This is how long it takes to become a capable QSA candidate.

In addition, QSAs should only assess technologies they are familiar with. As new technologies emerge, QSAs need to continuously educate and develop their skills in these technologies.

In summary, to become a QSA, you’ll need a professional technical background in risk management, compliance, and IT technologies. You will also hold at least two recognized professional certifications from reputable organizations like ISACA, ISC2, or others. Completing a PCI SSC authorized training course and passing an exam are also required.

Don’t have sufficient technical experience? See the section below.

What if you come from a non-technical background?

My best advice is not to rush to chase the QSA badge. Get some hands-on experience and get your hands dirty. Take your time working as a System Administrator, Security Analyst or Engineer and slowly build up your expertise across as many security domains as you can, namely:

  • Network and Systems Security
  • Cloud Security
  • Application Security
  • Operational Security
  • Cryptography
  • and many others.

Sure, there are ways to accelerate the QSA career path but once you become the QSA, you will lose the ability to work and play with the systems daily. You will be busy assessing organisations globally on the knowledge you’ve built in your previous roles.

Enjoy the journey and build your cyber security career on a strong technical foundation.

Lastly, PCI DSS might be just the beginning of your QSA journey. PCI DSS is 1 of 15 standards in the family of PCI SSC standards. The more technical you are, the more complex licences you can apply for and perform the more sophisticated assessments, such as:

  • Secure Software Assessments (SSF / SLC)
  • PIN Assessments (QPA)
  • Point-to-Point Encryption (P2PE)™ Assessments
  • Card Production Security Assessments (CPSA)

A word on the Associate QSA (AQSA) Program

The AQSA Program was developed in mid-2017 and announced in early 2018. As a member of the AQSA Task Force, we developed this program with one primary objective — to provide QSA Companies with a path for bringing in new cyber security professionals and developing them into full QSAs under the guidance of an experienced mentor.

Mentoring. That’s what the AQSA Program is about.

I don’t have any figures on how many fellow cyber professionals have gone through the AQSA Program since its introduction. However, there are two main obstacles you may come across when considering this program, especially if you are new to the industry:

  • Associate QSAs must be employed by an eligible QSA Company. This can be difficult in the current market, where most QSA Companies seek certified QSAs, ready to hit the ground.
  • Pre-requisites also include a college or university degree in an IT or security-related field or two years’ experience in IT or security.

More about the AQSA Program can be found in this useful FAQ.

Career prospects after working as a QSA

Plenty, you will be exposed to many cyber security domains and you will learn tons of knowledge about the businesses’ operations. On the top of technical expertise you will get under your belt with each assessment you will also master:

  • communication, presentation and public speaking skills,
  • exposing yourself to the C-Suite,
  • report writing and technical documentation review skills,
  • project management skills — every assessment is a standalone project,
  • people management skills, mentoring and leadership skills,
  • many other non-technical skills.

There are plenty of opportunities out there for ex-QSAs, across all cyber security domains, from consulting up to CISO roles.

Enjoy your QSA journey and build your cyber security career around it.

References:

[1] QSA Qualification Requirements

[2] QSA Program Guide

[3] Code of Professional Responsibility

Jake Eliasz is an Independent Cyber Security Advisor working under his own brand cipherlex.com. For nearly 20 years, Jake has been helping global businesses juggling between ever-growing cyber threats, compliance, and security of their most valuable assets. Jake holds a Master’s Degree (MSc) in Information Security along with several industry-leading certifications such as CISSP, ISSAP, CCSP, CISA, CEH, QSA.

Pci Dss
Qsa
Pci
Pci Compliance
Pci Dss Compliance

--

--

Jake Eliasz

Written by Jake Eliasz

Independent Cyber Security Professional (www.cipherlex.com) holding a number of industry-leading certifications such as CISSP, ISSAP, CCSP, CISA, CEH and more.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams