As a merchant that accepts credit card payments, you are undoubtedly aware of the need to certify your compliance with PCI regulations each year. If you process more than 6 million transactions with any one card issuer, that compliance assessment must be led by a QSA, or Qualified Security Assessor, an independent third party.
The QSA-led assessment process is often time consuming (and in some cases, stressful) but much of the stress can be alleviated by working with the right QSA. All too often, companies hire a QSA firm that offers the fastest and/or the least expensive survey, and the result is a subpar experience. While costs are always a concern, when it comes to determining your compliance, there is more to consider than just how much the process will cost. The following are five important questions that you simply can’t afford to overlook when choosing a QSA
Table of Contents
1. What Are Your Qualifications?
All QSA’s must have at least some background in IT or IT security, and must pass a challenging exam to be certified as a QSA. However, that doesn’t mean that all QSAs are created equal. It’s best to hire a QSA who has a background and experience, or at least in-depth knowledge, of your industry and the challenges it faces. For example, healthcare companies are different from retail companies which are different from financial services, and a compliance assessment must take those factors into account. In addition, the assessors can leverage their experience to expedite the assessment process, and apply more relevant guidance to your business.
In addition, it’s usually wise to choose a firm that has experience in both information security consulting and implementation. These companies can provide a more in-depth assessment that goes beyond a checklist, while also guiding your company on how to correct problem areas and become more secure overall.
2. Has Your Company Ever Been in Remediation?
If a QSA company does not comply with PCI DSS reporting procedures, then it is likely to go into remediation, and must complete steps to correct the identified deficiencies. When evaluating potential contractors for your compliance audit, ask candidates if they have ever been in remediation, and if so why and how the issues were corrected. You can also find out information about remediation on the PCI Security Standards Council website. However, the website only lists companies that are currently in remediation, and not those that have successfully completed a remediation. Keep in mind that just because a company has been cited by the PCI Security Council doesn’t mean that they aren’t completely capable or right for your company. Violations can occur for any number of reasons, and companies generally go to great lengths to correct the issues.
3. Have Companies Ever Improved Their Security as a Result of Your Assessment?
A QSA Assessment is not only about satisfying the PCI Security Council and getting a task off your to-do list. When done well, it will provide insight into the overall security of your company, and areas in which you can improve. When reviewing prospective firms, ask questions about their previous experience, and request examples of companies that have improved their security posture as a direct result of your assessment and recommendations. PCI DSS is only a baseline for security measures – you want to work with a company that can help you exceed those requirements.
4. Who Will Conduct the Work?
All too often, the QSAs that companies meet with during the data gathering and analysis phase of the assessment are not the same people who make the on-site visit to evaluate the implementation of the security controls. This can be problematic because the on-site evaluators may not understand all the nuances of the business and what is in place, which is reflected in the final report. Before hiring a QSA, ask who will be handling the work, and for a breakdown of all the responsibilities and who will be handling them, and how the firm avoids miscommunication and disconnects between multiple assessors.
5. Are You Independent?
Finally, it’s important to be aware of any connections that a QSA may have to specific companies or products. Some QSA firms are associated with security products, for example, and may use the assessment as an opportunity to sell a new security system. Be aware of such arrangements before you sign on with a partner.
Choosing the right QSA can make the difference between a smooth, and beneficial, process, and one that is a major headache. Ask the right questions, get all the information, and make an informed choice.