I went through the 3 day mandatory PCI-DSS QSA (Qualified Security Assessor) certification training this week. Each and every one of the PCI-DSS requirements were covered, in addition to QSA responsibilities, reporting and validation requirements. I expected it to be a dull lecture with many people nodding off. On the contrary, it was riveting the whole time with lively discussions.
There were about 53 participants. The first 2 days were very busy, starting at 8:30 and ending at 6:30 on the first day and 5:30 on the second. On the last day, the class was divided into 6 groups and each group was given a case study. There was also a test at the end, which we needed to pass to be certified as QSAs.
I also attended the 2009 ISACA Winter Conference 26th and the 27th, for which AppSec Consulting was a sponsor. Alex Stamos gave a good presentation on “Cloud Computing Security”. There was a panel discussion on PCI-DSS and that was interesting too. One thing that I noticed was that there were a lot of misconceptions about PCI-DSS and I am going to try to dispel at least some of them in the next post.