I spent some time a couple weeks ago in Toronto at the Payment Card Industry (PCI) Data Security Standard (DSS) Qualified Security Assessor (QSA) training and thoroughly enjoyed my short time in that awesome city! I wasn’t able to explore much this time since I spent most of my time in a classroom, and I am planning a trip back in the near future so I can experience more of the city. The PCI DSS course is broken out into two days, with an exam at the end of the second day. Here are some tips for PCI QSA training.
Day 1
The first day started promptly at 9 AM. Pay Attention to this! The PCI Security Standards Council (SSC) has a rule: if you are more than 30 minutes late, you will not be allowed into the class. They follow this rule, as one gentleman was unfortunate enough to find out, being turned away after arriving an hour late. He said it was due to traffic, but that of course did not matter. My advice is to stay at the hotel where the training is taking place, or very close to it. You can’t control the traffic (however, you CAN control how much you drink the night before). Your company’s investment is at risk and you don’t want to be the guy who returns to work without the training.
There is a lot of detail to go through and the instructor does a pretty good job of keeping your attention. He is full of corny jokes and funny voices that get your attention. You can expect to get through the intro slides and section eight on the first day. Lunch is provided and is about an hour long. If you’ve been in IT then you likely already know how male dominated the field is. Out of 50 attendees, there was one female. So if you were planning on QSA training just to meet women, you probably need to reevaluate.
Day 2
The second day you will finish the remaining four standards, review the Report on Compliance (RoC) and take an exam. You will also have a case to work on over lunch with your group, as assigned by the instructor. The case will make for some interesting debate among the attendees and the instructor. Here’s the heads-up: remember who in the room has the most PCI experience before you get into a big debate on network segmentation (hint: it probably isn’t you). You will learn there is an “eighth layer” to the OSI model… but you will have to wait for class to learn what that is all about.
At the end of the second day, at about 3:30, you will take an exam. You will have two hours for the exam, but if you are like most of the attendees, you will only need an hour. If you read the PCI training material and go to class, the exam is reasonable. Assuming you start the exam as scheduled you could be done by 4:30. There are those who will go over every question three times and take the full two hours though, so if you need it, it’s there. Hope this helps you understand the process a bit better and good luck!