About the Position
Leave behind what you think you know about PCI assessors; we’re not
checklist auditors wearing blinders. We’re hackers and developers and
sysadmins; we’re security professionals first, compliance assessors
second, and we have a lot of experience doing this.
As a Qualified Security Assessor (QSA), you’ll be:
Helping clients meet their compliance obligations by
evaluating their business, technology and operations
against security standards like the PCI DSS or HIPAA.
Sharing your expertise to help make top-level decisions on topics
like strategy and scope as well as deep and highly technical
projects like web application architecture and security.
Providing clear, organized findings and recommendations to
clients and tracking progress towards resolution and compliance.
Producing detailed, high-quality reports for clients and industry
third parties like payment card brands and the PCI Security
Learning from our close-knit group as well as contributing
your thoughts, tools, industry news or lessons learned.
Making this all look easy by juggling several concurrent projects at
any given point in time.
As a Payment Application Qualified Security Assessor (PA-QSA), you’ll be:
Helping software developer clients implement practices to produce secure
applications and find and crush security vulnerabilities before the
bad guys can take advantage of them.
Picking apart payment software with packet sniffers, debuggers,
process monitoring utilities and maybe even a few tools you write
Testing applications for security vulnerabilities while providing
clear, coherent explanations of your findings and
recommendations to fix the issues.
Have previous experience consulting, either within your place of
employment or for outside clients.
Truly comprehend information security principles and apply them
Feel at home installing and operating a variety of UNIX or Linux
systems. Familiarity with OS/400 or its ilk is a plus.
Understand code or script. Ruby and Python are nice, but it’s more
about concept than actual language.
Comfortably present security concepts or findings to both highly
technical and entirely non-technical audiences.
Have paid enough attention in English class to write clearly and
well. If you slept through classes, but figured it out later, that’s
okay too. But we’re serious about writing well.
You’ll get a gold star if you:
Have payment card (PCI DSS, PA-DSS, P2PE,
PFI), financial (GLBA, SOX, SSAE 16) or health care
Understand database security or cryptography really well.
Know about forensic analysis or incident response.
Are professionally, or willing to get, certified (while certifications don't indicate competence, they do reflect professionalism and a minimum knowledge level) in any of the following:
Security and IT certifications (e.g., CISSP, GIAC,
Technical certifications (e.g., MCSE, CCNA, etc.)
Related industry certifications (e.g., QSA, PA-QSA, ISA,
Speak a language besides English fluently (you still need English,
though). Bonus points if you have a valid US passport and know as
many IATA airport codes as you do technology acronyms.
Participate in relevant professional organizations like OWASP,
InfraGard, ISACA or the like.
Please don’t apply if you:
Are a blowhard.
Think it’s okay to illegally access other people’s computer,
networks or user accounts.