This was originally posted as an INSIGHT for Wolf & Company, P.C. here.
If your organization is new to PCI compliance, you are probably wondering how you should choose which QSA to work with. This decision is not one to take lightly, as there are nearly four hundred QSA Companies (QSAC), with an estimated one thousand individual QSAs.
There are three main areas you should focus when vetting your potential QSAC and QSAs. First, you must ensure that the QSAC and QSA have experience in your industry. The QSAC and QSA should also have in in-depth understanding of the PCI-DSS, and should be able to articulate the key details for your environment. Finally, you should look to form a committed partnership with your QSAC and QSA. PCI DSS compliance is not a binder you dust off once a year, but instead requires you to develop an ongoing and regularly updated process.
Industry Experience
There are several benefits to working with a QSA with experience in your industry. The PCI DSS does not change based on your organization’s industry, but a QSA with industry experience can be a valuable resource when recommending control implementation or remediation efforts. A QSA that was worked with several clients within your (or a similar) industry will be able to outline processes they have seen work well. In addition, they can warn of potential roadblocks other organizations have run into. In addition to direct industry experience, a QSA that has worked in several unrelated industries can provide a unique perspective and approach to meeting some of the more difficult requirements.
In-Depth Understanding of the PCI DSS
The PCI DSS is a very detailed and prescriptive set of requirements, and you will want to speak with your potential QSA to gauge their level of understanding. The best way to accomplish this is by walking through the unique aspects of your cardholder data environment (CDE). Every organization has a unique process, team, or segmentation issue that requires detailed planning to ensure maintained compliance. Use your QSA as a resource in planning these changes to ensure the proposed changes will not result in failed requirements. There are also many efficiencies to gain by reviewing multiple requirements simultaneously. Knowledgeable QSAs should not walk you through the PCI DSS in a straight line, but will combine the tests to make the audit a smooth process.
Committed Partnership
PCI DSS compliance is not just an annual task. The PCI DSS has always been a continual process, and starting January 2018 new requirements will ensure organizations are monitoring their compliance as an ongoing project. Therefore, your QSA should be an expert that you can turn to throughout the year to ensure the company is still maintaining compliance. The last thing you want is a new QSA every year that has to start from scratch learning everything about your business processes and CDE.
Finding a new QSA to work with should not be a hasty decision, but it does not have to be a complicated process, either. Ensure the QSA and QSAC you will be working with has worked within your industry, but can also support that experience with a perspective of several other industries. The QSA you will be working with should have a thorough understanding of the PCI DSS complexities, and should be able to identify and walk you through potential solutions in your CDE. Lastly, you should be looking for a partnership, not a “check-the-box” annual audit. With these three factors in mind, your organization can find a QSA that will effectively assist you in adhering to PCI DSS.
Additional Resources
- Find a QSA – The PCI SSC maintains a list on their website to verify all QSAC and QSA certifications. This resource provides contact information, as well as a feedback opportunity.
- QSA Qualifications – The PCI SSC publishes the prerequisites, course outline, and re-qualification requirements. Reviewing these documents will help you understand the baseline competency, and will allow for more in-depth technical conversations with your QSA.
The Personal Blog of Sean Goodwin 