If you were going to the doctor’s office for a physical, would you be more confident in a doctor who takes your temperature and blood pressure, or would you rather suffer through that short-term pain of having blood drawn for a more thorough analysis? The same can be said for Payment Card Industry (PCI) Qualified Security Assessors (QSAs): there are some who perform “PCI-lite” assessments where they just check the box and there are others who provide a much more thorough analysis. When you are searching for a QSA partner, do you want a “fly-by” QSA or one who will partner with you to gain a deeper understanding of your business model and security posture so they can provide strategic advice and be a valued partner?
There are several low-cost QSAs who offer “easy” assessments. These QSAs not only border on being negligent in their duty to perform a proper PCI assessment, but they perform a disservice to the PCI community in general by not upholding the PCI DSS assessment methodologies (and ultimately give the PCI industry a bad name). According to the PCI Council (and I am in complete agreement!), no company who has suffered a cardholder data breach has ever been compliant at the time of the breach. Be wary of QSAs who claim to only need an absurdly small amount of time on site to perform an assessment (for example, one week for a large merchant) or who claim to only need to sample a suspiciously small number of systems/locations.
And while there are some synergies associated with QSAs performing some of the PCI assessment from their home offices (e.g., document review), there really is no substitute for being on site for most interviews (especially technical interviews) and for over-the-shoulder configuration reviews. Any QSA who relies solely on a repository for a client to dump their documentation, configurations, and screen shots is bordering on negligence. Be sure that you understand the QSA’s scoping and sampling methodology so that you fully understand how many systems and processes the QSA should be reviewing during the assessment. If a prospective QSA’s scope seems too low to be true, it means that they will either need to circle back with a change order or that they will not be adequately sampling/assessing your cardholder environment.
Florence Nightingale or Nurse Ratched?
Most companies going through the QSA selection would benefit from partnering with a QSA with a collaborative, trusted advisor (I know, this term is near the end of its useful colloquial lifecycle – you have any fresher terms to use?) who can perform a thorough analysis in the relatively short amount of time they have to perform the assessment. While it is important for a QSA to have a strong technical acumen, I think it is even more important for a QSA to take a pragmatic, risk based approach to understanding how your business works and why systems and applications do the things they do. A collaborative QSA works closely with their clients to really understand their business, which puts them in a position to not only conduct a thorough and proper PCI assessment, but also to make recommendations to address any gaps related to PCI compliance and make other strategic or tactical recommendations to improve your security posture. A good QSA will discuss any pertinent findings with their clients on a real-time basis so there are no surprises. This provides an opportunity for the QSA and the client to team up to determine optimal remediation strategies to address any gaps.
Take Two Pills and Call me in the Morning
A QSA who acts as your trusted advisor will not only work with you to create gap remediation strategies (if needed), but will also help you holistically determine how the gap occurred in the first place so that you can modify policies, procedures, standards, or behaviors to prevent future recurrences. In addition, a QSA who is a true partner does not just ride into the sunset at the conclusion of an assessment; instead, they make themselves available to act as your sounding board throughout the year and keep you abreast of threats, risks, trends, and current events regarding IT security and payment card security.
Don’t worry – while some QSAs may cause you to lose sanity, they will not have to take your blood or stick you with needles! While a proper PCI assessment may cause you some short-term pain, the benefits should amount to improved security posture, which should in turn increase the chance of your organization being truly compliant.