Do QSA’s Understand PCI?

I guess that title should say “Can anyone clarify PCI?” or “Can we get some PCI consistency please?.  I find myself in discussion day after day on topics around PCI.


What is required for web app test?  Is it authenticated? Is it just a scan?  Is it just my external environment?  Is it only my card holder systems?


I know the council is trying to do their best with outlining the standards but there still is a serious lack of consistency across QSA’s and organizations.  I found this so frustrating that I developed the cartoon below to represent my opinion.



Basically Mr. CEO here is not meeting PCI compliance and his QSA’s are all telling him something different.  Even better is the new standards and enforcement that all the QSA’s themselves are trying to understand?  Will any big enterprise be able to make compliance?