Over the years we've helped hundreds of organizations with Payment Card Industry Data Security Standard (PCI DSS) compliance. Some of the common concerns we hear from organizations grappling with the standard are that they want more support from their Qualified Security Assessor (QSA), consistent advice and guidance, and a pragmatic approach to evaluate and address risks to their business.
A good QSA will work with you as a partner, first and foremost. Your QSA needs to understand your challenges, your technical environment, and help you make the best decisions about what's right for your particular situation.
Here are five tips to help you choose the right QSA for your next PCI Compliance audit.
How experienced is the QSA?
- Quick Tip: Make sure your QSA has broad experience across all areas of subject matter encompassed by the PCI compliance requirements.
Ask the QSA about their experience, skills, areas of knowledge and certifications to find out what makes them the best choice for your audit. The depth and breadth of subject matter encompassed by the PCI standards requires individuals who have comprehensive experience in a number of different technologies, as well as expertise in risk analysis and management. Along with a broad mix of skills, your QSA should have an excellent grasp of the intent of the PCI requirements, and how best to apply them to your business.
What is the QSA's technical knowledge?
- Quick Tip: Check their references and screen carefully for their technical ability. Make sure your QSA actually understands what they're doing.
PCI compliance involves a blend of business practices and technology requirements. Your QSA should have the technical expertise to understand when some of the elements that the standard requires are just impossible for your business or technology to support. A good QSA will understand the applicability and feasibility of implementing technical controls suggested by a particular DSS requirement and how you can address them while leveraging existing technology and resources.
What is the QSA's approach to the audit and how will they work with your team?
- Quick Tip: Ask the QSA how they approach the audit process and if they have a documented methodology and/or project management plan they follow.
A good QSA will take a consultative approach to your compliance and will work in partnership with you and your stakeholders to understand your business. Rather than dictating terms and giving you instructions, a good QSA will explain the intent of the DSS requirements and help you interpret them in the context of your business. A good QSA will have a keen eye to for opportunities to ultimately lower the cost and reduce the complexity of what's in scope for compliance.
A good QSA will communicate regularly with your team and won't shy away from delivering good or bad news. In addition, an experienced QSA will be willing to communicate with others outside your immediate team when appropriate or contact your acquirer for guidance on acceptable risk.
What is the QSA's experience with "compensating controls," their philosophy on them, and when they feel they are appropriate?
- Quick Tip: Ask for examples on when the QSA used compensating controls during one of their PCI Compliance audits.
The need for deeply and broadly experienced QSAs is most clearly illustrated in the way in which the PCI DSS makes provision for the use of "compensating controls". Without a background in IT security, it can be very difficult to understand or make recommendations on this type of risk reduction strategy. For instance, an assessor whose main experience prior to being involved with the PCI DSS was in Audit may not be able to understand what constitutes a valid compensating control, or help an organization architect a solution that includes them.
Will the QSA stand behind their work?
The PCI DSS is complex, and so is your business. In some instances, you may need a QSA who can go to bat on your behalf and make a case for the use of a particular compensating control. A good QSA will be willing to stand behind the quality of their audit and be willing to present your case successfully to the PCI Council if needed.
Selecting a QSA who has the right mix of expertise, knowledge and approach can be instrumental in your company's successfully complying with PCI DSS requirements. Although there is no magic formula for hiring the perfect QSA, the advice outlined here should help you in the process.