Tips to select a PCI-QSA

In this article..
Identifying a QSA Company
Check References
Big Name QSA
QSA Location
Onsite Costs
Handling Disagreements
Using Prior Work

If you are a level 1 merchant/service provider or have been required to have an assessment for some reason, you need to have a QSA perform an assessment. Each organization has different needs. When you are looking for a QSA for an assessment, there are some things that you should consider to make it easier on yourself later on.

Identifying a QSA Company
The first thing to remember that QSAs always belong to a QSA company. You cannot have a QSA individual doing freelance work. PCI SSC (PCI Security Standards Council) requires that every QSA work for an authorized QSA company. They also list every registered QSA (company as well as individual). So the first thing that you can do is to go to the PCI SSC website and look for a QSA company. Every company along with the contact information is listed.

One thing that you can see is that some companies may be listed as “in Remediation”. This status indicates a determination by the PCI SSC, after Quality Assurance review, that a QSA organization has violated applicable QSA Validation Requirements. This status may result from failure to comply with any number of applicable QSA Validation Requirements.

Don’t just go with the lowest bidder. A QSA with a higher bid might actually end up saving you money over the long run. Research the QSA company thoroughly.

Check References
Working with companies that have some experience in your industry always helps. So, get some references and talk to individuals at these companies. There is a lot of stuff in the PCI-DSS that is left to the QSA’s discretion. Ask about the actual employees that did the assessment. You will need people that are not very difficult to work with. I have had customers complain about their previous QSAs that are downright rude and it is either their way or the highway. You need someone who understands your problems implementing suggested solutions. But also remember that it is the QSA’s signature on the ROC (Report of Compliance). The PCI SSC is cracking down on companies that certify compliance by being too flexible. You can look up individual QSAs on the PCI SSC website.

Big Name QSA
One decision that you will need to make is whether to go with a big name company. If you are looking for a certification from a big name company and are prepared to pay for that name, go right ahead. But there are a lot of smaller QSA companies, including ours, that provide very good service for quite a lot less than a big name company. One thing that I have noticed with these companies is that a lot of stuff that should be in scope for the assessment is actually excluded because they have not bothered to understand the requirements well. They usually have some junior person doing the grunt work and the senior QSA sitting in the office signing ROCs.

“Compliant” QSA
If a QSA guarantees you that you will be compliant by a certain date, you need to be wary about that person/company immediately. There are some companies that will take your money and go through the motions and certify you. But if a breach happens, you are the one left holding the bag. The QSA’s work will be audited and may face sanctions, but the most damage will be to your company’s reputation and bottom-line. I have had instances where customers have asked me why I was failing them on something when another person for another company had no problem with it. The only thing I can do in this situation is to explain why I failed them and hope that they don’t run to the other company that passed them even though they should have failed them.

QSA Location
Remember that the QSA must to do the assessment on-site (for Level 1 assessments). While some of the work like reviewing documentation can be done remote, the QSA still has to verify certain things on-site. For instance, the QSA can review your network architecture diagram off-site. But this still needs to be verified by going on-site. In certain cases, having a local QSA helps, since flying in every time something needs to be done on-site or having someone stationed for a length of time can add to the cost. If your cardholder environment is relatively small or you do not have many locations, flying in a QSA might not be a factor when you consider the total cost of the engagement.

Note: Most Level 2,3,4 assessments do not require on-site assessments.

Onsite Costs
A lot of QSAs expect to be on-site for most of the PCI assessment engagement. For the client, this can translate to huge costs. It is important to be prudent and understand that minimizing on-site time is going to reduce costs. The QSA should be able to justify on-site visits with valid reasons. I have heard clients complain that QSAs have wanted to be on-site for weeks for relatively medium sized projects that should perhaps taken up to a week of on-site time. Once on-site, these QSAs need to be escorted around, resulting in additional costs related to this escort. On-site time can be minimized with a little planning without compromising on quality.

Before engaging a QSA company, ask what their process is and how long they think they need to be on-site. If they have done enough Level 1 assessments, they should be able to tell you the things they do to keep the on-site visits to a minimum. When they come on-site, they should already be familiar with your environment and should have a clear plan of what they will do. A lot of QSA companies send one or more QSAs on-site and then they start looking at documentation. This is a clear waste of time and money for you.

Handling Disagreements
As mentioned earlier, a lot of stuff is left to the QSA’s discretion. The QSA and you might not be in agreement over, say, whether a control fulfills the requirement. Also, there is no conditional compliance. You are either “compliant” or “not compliant”. You cannot say that you have an approved plan for implementing a control and that you are about 20% into the implementation. If it is not already in place, you are not compliant. But there are other areas when you can get into a disagreement. For instance, you are supposed to have 4 quarters of clean vulnerability scans. I personally would accept a minor problem with, say the first (the oldest) of the last four scans if that issue has been remediated or you have sufficient controls in place. Another QSA might not.

It is important that you and the QSA share a good rapport. The QSA is responsible for interpreting the PCI-DSS standards on behalf of the card brands. It is unusual for serious disagreements but if you dont agree with the QSA on something, research it well and ask for a justification from the QSA.

Using Prior Work
You may have had another QSA perform part of the work before switching to a new QSA. Talk to the new QSA about whether they will use the work performed by the previous QSA. The new QSA should not blindly accept the previous QSA’s work without verification. But they should also not dismiss it since you will end up paying for the same work twice. Again, remember it is the QSA’s signature on the AoC (Attestation of Compliance). So, expect the QSA to be hesitant in accepting another person’s work.