We notice you are visiting from a U.S. Internet provider. 
04/03/2010 -
The PCI Security Standards Council is expected to release the details of a new QSA certification program in the next few months, allowing internal auditors at Level 1 and Level 2 merchants to become certified to conduct the company's annual PCI assessment.Yet this presents some tricky questions in terms of payment processing security, reported StorefrontBacktalk.com.
First of all, the cost may not be worthwhile, the website reported.
"Merchants need to assess how significant the QSA's professional fees are in relation to the total cost of a PCI assessment," wrote QSA Walt Conway for StorefrontBacktalk.com. "Often, the infrastructure costs and dedicated internal resources - including the newly trained auditors - are a large part of the total cost. In addition, merchants still need internal and external penetration tests, the costs of which can be a major part of a QSA engagement."
Conway added that all quarterly external vulnerability scans still need to be conducted by a third-party professional, called an Approved Scanning Vendor, which can add to the cost.
In addition, there may be a conflict of interest when a company's own executive conducts an audit, which could result in the business being vulnerable to a payment processing breach despite being deemed "compliant."
Experts advise merchants that passing a PCI compliance audit does not necessarily mean a business is secure, either - merchants must follow general security best practices around the clock, not just in preparation for an audit.
