Re: How to learn PCI standards and become QSA

["J. Lion" <jv4l1n4 () gmail com>]

I do not know the nature of your client's business nor the revenue
generated. But, the best way to be compliant is to not store, transfer
or process credit cards.

It might more cost-effective to outsource as indicated by Rui and let
someone else worry about the PCI requirements.

In regards to being a QSA - I thought that there was about $20k fee
for the company to apply and $500 to train each employee.



On Mon, Jun 2, 2008 at 3:09 PM, Rui Pereira (WCG) <wavefront1 () shaw ca> wrote:
> Since your client appears to be quite small, why not just have her outsource
> her credit-card processing and avoid the PCI DSS trap altogether?
>
> Thank You
>
> Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA,CWNA
> Principal Consultant
> WaveFront Consulting Group
>
> wavefront1 () shaw ca | www.wavefrontcg.com | 1 604 961 0701
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Scott Race
> Sent: June 2, 2008 10:25 AM
> To: security-basics () securityfocus com
> Subject: How to learn PCI standards and become QSA
>
> Hello,
> I have a new client who accepts credit cards, both online and at her
> small office/store.  She holds credit cards #'s an unsecured .mdb
> database, and from my initial network audit she has a ton of other
> security related issues I need to address (weak passwords, firewall,
> encryption, physical access issues).
>
> Since she will need to become PCI complaint, a qualified QSA must scan
> her network (which I am not).  I have began studying the materials I
> have downloaded off the Security Council website (Security Audit
> procedures, self-assessment questionnaires).
>
> It appears all I need to do is to fill out an application and give them
> $500 yearly to become a QSA?  Is there any training you anyone can
> recommend?  I have a strong background in network security, and I'm able
> to at least understand the basics of the requirements (though it seems
> there is room for interpretation).  Currently I am just studying the
> requirements and applying them to what I already know.
>
> Thanks in advance, hope my question makes sense.  Basically I want to
> learn this stuff the correct way and make sure I am addressing
> everything.
>
>
> ~Scott
>
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.524 / Virus Database: 269.24.4/1478 - Release Date: 02/06/2008
> 7:12 AM
>
>
> No virus found in this outgoing message.
> Checked by AVG.
> Version: 7.5.524 / Virus Database: 269.24.4/1478 - Release Date: 02/06/2008
> 7:12 AM