In this article..
Identifying a QSA Company
Check References
Big Name QSA
QSA Location
Handling Disagreements
Using Prior Work

If you are a level 1 merchant or have been required to have an assessment for some reason, you need to have a QSA perform an assessment. Each organization has different needs. When you are looking for a QSA for an assessment, there are some things that you should consider to make it easier on yourself later on.

Identifying a QSA Company
The first thing to remember that QSAs always belong to a QSA company. You cannot have a QSA individual doing freelance work. PCI SSC (PCI Security Standards Council) requires that every QSA work for an authorized QSA company. They also list every registered QSA (company as well as individual). So the first thing that you can do is to go to the PCI SSC website and look for a QSA company. Every company along with the contact information is listed.

One thing that you can see is that some companies may be listed as “in Remediation”. This status indicates a determination by the PCI SSC, after Quality Assurance review, that a QSA organization has violated applicable QSA Validation Requirements. This status may result from failure to comply with any number of applicable QSA Validation Requirements.

Don’t just go with the lowest bidder. A QSA with a higher bid might actually end up saving you money over the long run. Research the QSA company thoroughly.

Check References
Working with companies that have some experience in your industry always helps. So, get some references and talk to individuals at these companies. There is a lot of stuff in the PCI-DSS that is left to the QSA’s discretion. Ask about the actual employees that did the assessment. You will need people that are not very difficult to work with. I have had customers complain about their previous QSAs that are downright rude and it is either their way or the highway. You need someone who understands your problems implementing suggested solutions. But also remember that it is the QSA’s signature on the ROC (Report of Compliance). The PCI SSC is cracking down on companies that certify compliance by being too flexible. You can look up individual QSAs on the PCI SSC website.

Big Name QSA
One decision that you will need to make is whether to go with a big name company. If you are looking for a certification from a big name company and are prepared to pay for that name, go right ahead. But there are a lot of smaller QSA companies, including ours, that provide very good service for quite a lot less than a big name company. One thing that I have noticed with these companies is that a lot of stuff that should be in scope for the assessment is actually excluded because they have not bothered to understand the requirements well. They usually have some junior person doing the grunt work and the senior QSA sitting in the office signing ROCs.

“Compliant” QSA
If a QSA guarantees you that you will be compliant by a certain date, you need to be wary about that person/company immediately. There are some companies that will take your money and go through the motions and certify you. But if a breach happens, you are the one left holding the bag. The QSA’s work will be audited and may face sanctions, but the most damage will be to your company’s reputation and bottom-line. I have had instances where customers have asked me why I was failing them on something when another person for another company had no problem with it. The only thing I can do in this situation is to explain why I failed them and hope that they don’t run to the other company that passed them even though they should have failed them.

QSA Location
Remember that the QSA must to do the assessment onsite. While some of the work like reviewing documentation can be done remote, the QSA still has to verify certain things onsite. For instance, the QSA can review your network architecture diagram offsite. But this still needs to be verified by going onsite. There are also lots of interviews with key personnel that will need to happen. In certain cases, having a local QSA helps, since flying in every time something that needs to be done onsite or having someone stationed for a length of time can add to the cost.

Handling Disagreements
As mentioned earlier, a lot of stuff is left to the QSA’s discretion. The QSA and you might not be in agreement over, say, whether a control fulfills the requirement. Also, there is no conditional compliance. You are either “compliant” or “not compliant”. You cannot say that you have an approved plan for implementing a control and that you are about 20% into the implementation. If it is not already in place, you are not compliant. But there are other areas when you can get into a disagreement. For instance, you are supposed to have 4 quarters of clean vulnerability scans. I personally would accept a minor problem with, say the first (the oldest) of the last four scans if that issue has been remediated or you have sufficient controls in place. Another QSA might not. PCI SSC requires all disagreements and their resolution to be documented.

Using Prior Work
You may have had another QSA perform part of the work before switching to a new QSA. Talk to the new QSA about whether they will use the work performed by the previous QSA. The new QSA should not blindly accept the previous QSA’s work without verification. But they should also not dismiss it since you will end up paying for the same work twice. Again, remember it is the QSA’s signature on the ROC. So, expect the QSA to be hesitant in accepting another person’s work.