• What does “qualified third party” mean in PCI 6.6?

    27 Jun 2008

    There’s been a lot of hoopla surrounding the PCI DSS requirement 6.6 compliance next week. Even with all the noise, there is some good news for both covered entities and independent security professionals such as yours truly. In the PCI DSS requirement 6.6 Information Supplement document, the first sentence at the top of page 3 states “Manual reviews/assessments may be performed by a qualified internal resource or a qualified third party.”

    But nowhere – anywhere – have I been able to find out what “qualified third party” means….until today. Yep, straight from the horse’s mouth (PCI Security Standards Council) told me:

    “Req 6.6 it is any independent, qualified security organization with expertise in application security.”

    Excellent….so dealing with all those high-end “QSAs and ASVs” (the whole process of which I think is a ridiculous sham) who may have questionable quality is not necessary! Any little old security peon like me could do these types of assessments. I feel honored.

    Wow, a free market concept where everyone wins…There are some good snippets coming out of the regulatory world every now and then after all I suppose.

    BTW, in case you haven’t seen the links I posted in the past couple of weeks, here are two reality-check articles I wrote regarding the PCI requirement 6.6 code reviews and web application firewalls that you’ll enjoy:

    The realities of PCI DSS 6.6 application code reviews
    The realities of using WAFs for PCI DSS 6.6 compliance

Resources

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

application security appsec basics books careers censorship CISO CISSP cities compliance coronavirus covid-19 cybersecurity data breaches hacking Hacking For Dummies heads in sand health incident response information risk keynote speaker leadership macOS networked cameras passwords patching racing resilience Russian hacking SDLC security culture security leadership security program management security speaker selling security social engineering speaking engagements spec miata sql injection tiktok time management training vulnerability and penetration testing web security

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.