• What does “qualified third party” mean in PCI 6.6?

    27 Jun 2008

    There’s been a lot of hoopla surrounding the PCI DSS requirement 6.6 compliance next week. Even with all the noise, there is some good news for both covered entities and independent security professionals such as yours truly. In the PCI DSS requirement 6.6 Information Supplement document, the first sentence at the top of page 3 states “Manual reviews/assessments may be performed by a qualified internal resource or a qualified third party.”

    But nowhere – anywhere – have I been able to find out what “qualified third party” means….until today. Yep, straight from the horse’s mouth (PCI Security Standards Council) told me:

    “Req 6.6 it is any independent, qualified security organization with expertise in application security.”

    Excellent….so dealing with all those high-end “QSAs and ASVs” (the whole process of which I think is a ridiculous sham) who may have questionable quality is not necessary! Any little old security peon like me could do these types of assessments. I feel honored.

    Wow, a free market concept where everyone wins…There are some good snippets coming out of the regulatory world every now and then after all I suppose.

    BTW, in case you haven’t seen the links I posted in the past couple of weeks, here are two reality-check articles I wrote regarding the PCI requirement 6.6 code reviews and web application firewalls that you’ll enjoy:

    The realities of PCI DSS 6.6 application code reviews
    The realities of using WAFs for PCI DSS 6.6 compliance