Talk:Qualified Security Assessor

On the term "Quack"
This is a common usage in many PCI shops, referencing the relative uselessness of PCI and the fact that many QSA's do not know a terrible amount about the subject they are investigating. This in turn further degrades the usefulness of PCI as information can be rapidly displayed to the QSA, leading them to many times just check a box without investigating it. This has lead many in the industry to refer to them "Quack Security Assessors" as it references Quackery(http://en.wikipedia.org/wiki/Quackery) except in an Information Security sense rather than a medical sense.

I am a employed by a member of the PCI Council in a high-level tactical and strategic information security capacity. Infosecs (talk) 17:27, 4 June 2015 (UTC)


 * The term 'Quack Security Assessor' that keeps being added to the page doesn't appear to add anything to the article. If this really is a pervasively used term, then cite some meaningful sources. Otherwise, this seems very much like someone airing a grievance. Exponium (talk) 17:46, 4 June 2015 (UTC)


 * I don't think is up to anyone here to act based on our own biases. This is common vernacular and, as the page is requesting input form secondary sources, I am here to provide that. as a secondary source intimately familiar with the material. at hand Infosecs (talk) 17:54, 4 June 2015 (UTC)


 * Per WP:OR, if you want to claim this as "common vernacular", cite some sources. Also consider WP:POV - if there is a common grievance against QSAs, consider adding a section to the page rather than changing the accurate definition at the start of the article. I am also intimately familiar with the material, and do not consider this a common use of the initialism. Exponium (talk) 17:59, 4 June 2015 (UTC)


 * I am a source. You seem to be biased and I would posit that you are too biased to maintain this page. Are you personally a QSA? If so, you would hardly be able to comment on what QSA are called in common vernacular. Unless you work for one of the four (pardon my typo) five members of the PCI council (which I do), I seriously doubt you are as familiar as me with the terminology. Infosecs (talk) 18:11, 4 June 2015 (UTC)
 * I've never come across that term. Do reliable sources use it? bobrayner (talk) 18:15, 4 June 2015 (UTC)
 * Yes, I work for Discover Financial Services as well as give talks on the practice of information security and pentesting. This term is not only common among individuals dealing with PCI, it is also quite common in pentest houses. Obviously as we are an industry that is highly visible to executive management in the current threat climate, we can not publish use of this term publicly in our reports and whitepapers. Infosecs (talk) 18:22, 4 June 2015 (UTC)
 * Yes, I'm a QSA. And there are 5 members of the PCI Council. This is why anecdotal evidence can't be relied on. Exponium (talk) 18:19, 4 June 2015 (UTC)
 * As you are a QSA I claim bias and question your ability to manage this page in an objective manner Infosecs (talk) 18:20, 4 June 2015 (UTC)
 * Fortunately, Wikipedia has a multitude of policies designed to protect me from my own bias. Feel free to point out any biased contributions according to Wikipedia policies and I'll be happy to edit or remove them. For now, though, please don't add your 'Quack' definition to the article unless you can back it up with good sources other than your own anecdotal experience, and as per my previous suggestion, such a definition doesn't belong in the first line of the article.Exponium (talk) 18:25, 4 June 2015 (UTC)
 * Excuse me, but the article is calling for sources and a personal narrative is absolutely a valid source. Infosecs (talk) 18:29, 4 June 2015 (UTC)
 * It is not, per WP:OR (no original research), and WP:V (verifiability).Exponium (talk) 18:32, 4 June 2015 (UTC)
 * "Primary sources are original materials that are close to an event, and are often accounts written by people who are directly involved. They offer an insider's view of an event, a period of history, a work of art, a political decision, and so on." — Preceding unsigned comment added by Infosecs (talk • contribs) 18:36, 4 June 2015 (UTC)
 * |"Citing Yourself" : "You may cite your own publications just as you would cite anyone else's, but make sure your material is relevant and that you are regarded as a reliable source for the purposes of Wikipedia." By all means, go and write a public article explaining that this term is used, make sure your article is noteworthy, establish your credibility as a reliable source, and then add the definition in a separate section of the article - as it still has no place in the opening sentence unless you think the term "Quack" is used as frequently as the actual definition. Exponium (talk) 18:42, 4 June 2015 (UTC)
 * Ah but it is, created after the breach of several major retailers that were "PCI compliant" which more or less showed the uselessness of the PCI certification and auditing process. — Preceding unsigned comment added by Infosecs (talk • contribs) 18:46, 4 June 2015 (UTC)
 * And there's already a criticisms section on the PCI DSS article, which may be a better place for you to air your NEUTRAL and REFERENCED concerns, rather than using Wikipedia as place to state opinions. Or, as I have suggested twice, you can create a separate section in the QSA article that talks about - perhaps - criticisms of the certification and experience requirements for QSAs. Again, with references and a neutral point of view. Exponium (talk) 18:50, 4 June 2015 (UTC)
 * Not sure what about that was not neutral or unreferenced. All the major retailers were PCI compliant, indicating that PCI provides no protections in the event of an attack. — Preceding unsigned comment added by Infosecs (talk • contribs) 18:51, 4 June 2015 (UTC)