Secure Payments, PCI DSS, Regulatory Compliance Blog

The Spanish QSA

June 4th, 2007 by Rob Newby Posted in Approved Scanning Vendor, Europe, QSA

spain.jpgIf you download the latest QSA list, open it up and do a quick search for “Spain”, you’ll only come up with one name: Daniel Fernandez Bleda of Isecauditors.com, based right here in my home town of Barcelona.

QSA Spain

I’d had someone contact me through my personal blog to talk about PCI, he was also based in Barcelona, and needed some pointers. As I am a vendor, I thought it prudent to get an independent expert in to keep his mind at rest. I was in contact with Daniel by email, but had yet to meet in person. He seemed to know what he was talking about, so I invited him in.

So, 5 of us (2 from my company, 2 from Daniel’s, 1 interested consumer) crammed into our offices at 3pm on Thursday afternoon to see what we could arrange. Daniel dealt with the queries as they arose, and very kindly conducted proceedings in English, which was obviously not his preferred method of communication. Still, a lot more natural than me speaking Spanish, so much appreciated. No hablo Espanol.

Backtracking a little, I had contacted Daniel previously to speak about PCI in Spain, thinking he would be inundated with business here, being in his unique position. We wanted to partner with him, being a vendor who might be able to surf the giant PCI wave… apparently this is not the case. Most of Daniel’s business comes from other auditing and compliance work. The QSA status (and soon to be ASV) is there to keep skills up to date and provide a little marketing. He was delighted to have the chance to speak about PCI with a real live opportunity in Barcelona.

The last time I spoke about the lack of interest in PCI in Spain I had someone on this blog (who shall remain nameless because I can’t remember who it was) tell me how they had loads of Spanish work on, but couldn’t tell me anything about them because it would breach NDA. Sorry, but I’m having difficulty believing you now, especially when you can’t provide ANY proof.

I’ve only been here 5 months now, but I’ve picked up PCI customers in the UK and US in that time, and still not a sausage in Spain, not even the scent of chorizo. We even have one of the largest banks in the area trying out our software, and the only PCI account I’ve even heard of over here is an international company getting pressure from their German processors. Caixa Catalunya passed on the pressure, but they aren’t interested for themselves in terms of PCI.

If there’s anyone more qualified to talk about PCI in Spain than Daniel, please let me know. I’d love to hear that I’ve completely missed a rich seam of business opportunity buried deep below the cracked surface of Spanish IT security.

I’m also interested to get more of an overview purely for personal reasons, otherwise I’m going nuts here.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 6 Responses to “The Spanish QSA”

  2. By APM on Jun 4, 2007

    Rob,

    We’ve communicated before about PCI DSS in Spain. Basically, it’s not happening.

    Walk into any bank in Spain and not only will there be piles of forms containing cardholder data (amongst other “identity theft” related information) on bank workers desks but these will be in an open office environment.

    I also checked over the weekend (and “yes”, I am that anal!!!) and the stuff is left our overnight.

    This is a shame as I desperately want to see the Standard being promoted here. I can’t see it happening for a while though.

    At a guess, I think the card schemes will get the US and UK “sorted” this year and then maybe look to the rest of Europe next year.

    Possibly.

  3. By datasecurity on Jun 4, 2007

    Rob, maybe you need to bush up on your Español. ;)
    Seriously, I think that SEPA will have a big impact on the European PCI DSS compliance market. Wait and see.

  4. By Sorani on Jun 17, 2007

    Hi, Rob.

    Perhaps at this moment, Daniel is the only one in the PCI list as QSA, but I can tell you that he is not the first one. The first people in becoming QSA by VISA were 3 people from the Spanish security company S21sec (www.s21sec.com) that were certified in september 2006.

    I can confirm you that situation in Spain is very complicated, because banks are not enforcing PCI compliance and retailers don’t know very much about it, less that they have to comply with it…

    Kind regards,

  5. By Rob Newby on Jun 17, 2007

    Yes, I’m aware that there have been other QSAs in Spain. I didn’t mean to imply Daniel was the only one there’s ever been. He was quite clear about this to me when we met in fact.
    I’ve also had contact with s21sec and am aware of what they are doing. The fact is, they are no longer QSAs. At present they seem to be working more with their log management product, but that’s another story altogether.
    Sadly, yes, PCI in Spain is way behind, and I would also place the blame squarely at the feet of the banks. The retailers won’t even have a clue until they start pushing for it. Some of the Caixas are starting to hear it more from their European counterparts, so I tend to concur with datasecurity that SEPA will level things out a bit.

  6. By Julian Inza on Jul 19, 2007

    It seems that S21sec was included in this sheet:

    http://www.visaeurope.com/documents/ais/qualified_security_assessors.pdf

  7. By Julian Inza on Jul 19, 2007

    By the way, Albalia Interactiva is offering PCI DSS Asessment Services to merchants and acquirers, as a part of the certification precess.

Sorry, comments for this entry are closed at this time.