What I learned at the Portland, PCI Community Meeting…

I absolutely admire and respect QSA’s!

QSA’s are highly qualified, very experienced and hold deep, PCI DSS subject matter knowledge. They need these attributes since completing the PCI DSS v4.0 Report On Compliance is complex, stressful and frequently leads to burnout!

Regarding PCI DSS v4.0 – QSA’s start by understanding the client’s organisation, then review them against:

  • Part 1: Assessment Overview – 46 pages
  • Part 2: Breakdown of section requirements – 440 pages
  • Validation fields – 700: covering Interviews, Observations, Document fields etc

What I learned at the Portland, PCI Community Meeting... 1

As if that wasn’t enough…. try adding the new INFI – Items Noted For Improvement report. Along with completing all the N/A fields for the unused Customised Approaches or Compensating Control Worksheets, QSAs now need to document whether there is an INFI or not for each and every PCI DSS requirement. Moreover, this could involve the creation of an internal report that potentially lists all 260 PCI DSS Requirements as either being N/A or as not having any INFI’s.

Did I say that this is complex, stressful and frequently leads to burnout?

Taking into account the time constraints wrapped around a Level 1 assessment, the Quality Assurance process and the commercial demands to achieve validation and signature before moving onto the next ROC, I now appreciate how demanding this role has become.

The 27k1 RMS – ROC Management System

27k1 Ltd recently introduced the 27k1 RMS to QSA companies attending the PCI Community Meeting, Portland, Oregon. The 27k1 RMS digitizes the ROC, so that the compliance work completed by QSA’s within the software, automatically populates the Level 1 assessment. We believe that the software will save up to 6 days from the completion of each assessment and reduce burnout.

The responses that we received from 27k1 RMS system demonstrations was overwhelming. Feedback from the QSA community confirmed that this purpose built software, intended for use by qualified QSA companies is unique, especially because a license agreement between the PCI SSC and 27k1 will allow the integration of their ROC template in word format into the software, so that the QSA’s compliance work will automatically populate the ROC. 27k1 will be the first company to offer this incredible feature.

For a no-obligation, system demonstration, simply contact: www.27k1.com/contact