There’s been a lot of hoopla surrounding the PCI DSS requirement 6.6 compliance next week. Even with all the noise, there is some good news for both covered entities and independent security professionals such as yours truly. In the PCI DSS requirement 6.6 Information Supplement document, the first sentence at the top of page 3 states “Manual reviews/assessments may be performed by a qualified internal resource or a qualified third party.”
But nowhere – anywhere – have I been able to find out what “qualified third party” means….until today. Yep, straight from the horse’s mouth (PCI Security Standards Council) told me:
“Req 6.6 it is any independent, qualified security organization with expertise in application security.”
Excellent….so dealing with all those high-end “QSAs and ASVs” (the whole process of which I think is a ridiculous sham) who may have questionable quality is not necessary! Any little old security peon like me could do these types of assessments. I feel honored.
Wow, a free market concept where everyone wins…There are some good snippets coming out of the regulatory world every now and then after all I suppose.
BTW, in case you haven’t seen the links I posted in the past couple of weeks, here are two reality-check articles I wrote regarding the PCI requirement 6.6 code reviews and web application firewalls that you’ll enjoy:
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”