How to select the right Qualified Security Assessor

Today’s Payment Card Industry Data Security Standard (PCI DSS) is one of the most prescriptive models for strengthening security through compliance. The Standard helps organisations unearth common weaknesses in information security practices and define a minimum level of security for protecting cardholder data. But achieving and validating compliance with the Standard can require significant investment and effort that distracts internal resources. As a result, many organisations turn to outside assistance to implement the Standard.

Companies that are required to undergo an audit and complete a Report on Compliance (RoC) for PCI DSS compliance should also be assessed by approved PCI Qualified Security Assessors (QSAs), according to the Payment Card Industry Security Standards Council (PCI SSC).

An RoC usually applies to Level 1 and 2 merchants and service providers, but organisations that have to complete a self-assessment questionnaire (SAQ) will find that using a QSA lends greater credibility to the completed SAQ.

QSAs are not created equal

Although all QSAs must meet the same set of requirements to become certified by the PCI SSC, QSAs vary not only in experience, aptitude and thoroughness but also in how they interpret requirements and how they evaluate the appropriateness of security measures and controls.

The right QSA can help identify and address security risks while meeting an organisation’s specific needs and budget. A good QSA is able to translate concepts into business terms, giving the company a firm grasp of the PCI requirements and the impact they may have on the business.

Selecting a QSA that has the right knowledge and experience will not only make sure that you achieve and maintain compliance with the PCI DSS but will also give you peace of mind that you are able to reduce your risks and control your costs on an ongoing basis.

Pitfalls to avoid

A key criterion that many merchants and service providers have when evaluating QSA companies is the cost of the assessment. For many, keeping costs as low as possible is a priority, and the lowest-priced QSA company will often win the business. However, it’s important to keep in mind that the cost of compliance is always lower than the cost of non-compliance.

Some QSAs employ the tactic of spending too little time onsite with the client. This can be problematic because much of the control validation must be done in person. QSAs that take a tick-box approach to compliance can put your organisation at risk of compliance violations.

Another area to scrutinise is whether the QSA has the appropriate technical and industry experience. Without a sound technical background and understanding of where cardholder data flows, a QSA could potentially over- or under-scope a PCI assessment. A scope that’s too narrow can lead to cardholder data being compromised, and a scope that’s too broad can unnecessarily increase the cost of the implementation or even undermine the effectiveness of the whole programme.

Tips for selecting the right QSA

  • Audit versus assessment: Your PCI assessor should work with you to understand your business model and make efforts to go further than a simple ‘yes/no’ approach to understand how security measures work together to achieve compliance and maintain security.
  • Assessment scoping: The PCI SSC makes a QSA’s primary responsibility to confirm the scope of the PCI assessment. A QSA should ask questions about these areas to help determine project scope and cost. If the QSA doesn’t ask, this may indicate a one-size-fits-all approach to assessment.
  • Experience and expertise: Your QSA should have detailed knowledge of the Standard and the challenges that organisations face when implementing its requirements. A good QSA will work in partnership with your team and help you to understand what is required and why, giving you control over the implementation.
  • Compensating controls: These involve more than basic assessing. Not all QSAs have the expertise and judgement to thoroughly vet compensating controls and determine whether they are acceptable.
  • Onsite follow-through and verification: QSAs should verify that all answers are correct by spending sufficient time onsite to review and examine settings, configurations and documents on their own.

Register for our free webinar

If you want to learn more about achieving and maintaining PCI DSS compliance, you should attend our webinar: PCI DSS: Audit success in nine essential steps. You’ll find out:

  • Essential areas to help prepare for a successful RoC audit;
  • How to identify nonconformities before the audit takes place; and
  • How to choose the right QSA.

This webinar will take place on 17 January 2018, from 3:00–4:00 pm. If you can’t make it, the presentation will be available to download from our website.