The PCI Security Standards Council (PCI SSC) announced at the PCI Middle East and Africa Forum, plans to evolve the PCI Qualified Security Assessor (QSA) program to attract new cyber talent globally and ensure its sustainability and quality in a changing payment environment. The initiative will be rolled out in phases, beginning in 2017 with a dedicated industry task force focused on the development of an Associate QSA certification.

A QSA Company is a data security firm certified by the PCI SSC to perform on-site assessments of a company’s PCI Data Security Standard (PCI DSS) compliance to ensure that robust policies and procedures are in place to safeguard payment data against cyberattacks. The QSA program plays a critical role in the adoption of PCI Security Standards.

“Just like PCI Standards continue to evolve, PCI programs must also evolve and adapt to changes in payments in a sustainable way,” PCI SSC General Manager Stephen Orfei told attendees at the Cape Town meeting. “This initiative will help address the shortage of cybersecurity professionals in the payments industry by bringing new talent to the QSA program, and it will ensure that high quality QSA services are available for merchants and service providers into the future.”

Cybersecurity firm Symantec has estimated the demand for the global cybersecurity workforce will rise by 6 million by 2019, with a projected shortfall of 1.5 million. As cybercriminals continue to threaten the safety of payments, cybersecurity skills are critically important to the payments industry moving forward.

Changes to the QSA program will focus on supporting future standards and technologies and attracting new cybersecurity talent to develop the next generation of QSAs, and will be developed and implemented in conjunction with a dedicated industry task force.

The Associate QSA certification will provide a professional path for new entrants to join the industry and gain experience to qualify as a QSA. “The Associate QSA initiative will broaden the abilities for security specialists to leverage their skills, expand our delivery capabilities and maintain our high level of service,” added South Africa based Andrew Henwood, a speaker at the PCI Middle East and Africa Forum and CEO of Foregenix, a QSA Company.

The PCI SSC plans to begin accepting applications for Associate QSAs in early 2018. Updates on the development of the Associate QSA certification and future changes to the QSA program will be discussed at the 2017 PCI Community Meetings in Bangkok, São Paulo, Orlando and Barcelona.

“The initiative is a product of extensive market research into what the industry needs from the QSA program for the future and how PCI SSC can support these needs in a sustainable way,” said PCI SSC Chief Operating Officer Mauro Lance. “Our goal is to create more opportunities for bringing in new cyber talent to the industry and for QSAs to aspire to higher skills.”

PCI Perspectives blog post “Minding the Cybersecurity Gap: New Associate QSA Program” provides additional insights on the initiative.