The Payment Card Industry Security Standards Council (PCI SSC) today announced a new programme designed to improve consistency among qualified security assessors tasked with determining the compliance status of organisations affected by PCI.
The initiative will give Qualified Security Assessors and Approved Scanning Vendors a set of requirements to comply with if they want to retain the ability to conduct PCI assessments.
Bob Russo, general manager of the PCI SSC, explained that the programme will complement the current training and strict applications vetting process.
"This is the next evolutionary cycle, and we wanted to take things a bit further by looking at the reports [the assessors generate]," he said. "This quality assurance programme is because there are now so many assessors out there, not because we've had any complaints about them."
The organisations which perform the majority of PCI assessments will be assessed every year, while those which are less prolific will go through the cycle every two or three years, unless a complaint is lodged against them. In this case they will jump to the head of the queue, said Russo.
PCI to assess the assessors
By Phil Muncaster on Nov 19, 2008 9:23AM