Author: Todd Becker, PCI QSA, ISO 27001 Auditor
If you are a Level 1 or Level 2 merchant, complying with the Payment Card Industry Data Security Standard (PCI DSS) continues to get more complicated. The stakes have never been higher for large organizations that process payments. With major data breaches constantly in the headlines like Target, Home Depot, JP Morgan Chase and countless others, organizations are relying more and more on QSA’s to help them navigate the Standard and get in compliance. Additionally, with risk management taking a larger focus, organizations are looking for QSA’s that have the right credentials that aren’t simply taking an audit checklist approach to PCI, but using critical thinking skills to delve deeper into the organization to uncover hidden risks.
How can you find a QSA that will act in the best interest of your organization? Be sure to ask the right questions before hiring any firm.
ANSWER THESE QUESTIONS BEFORE SEEKING FIRMS TO INTERVIEW
Before hiring a firm, an organization should ask themselves the following questions to gauge where they are with regard to PCI.
SUGGESTED QUESTIONS: Where does our organization stand today with PCI? How well does the organization understand its obligations related to PCI? How well does the organization meet those obligations?
KEY CONSIDERATIONS: The less you know about PCI, the more you’ll need a seasoned QSA who will take the time to educate and coach you. You’ll want someone who will help you understand the requirements in detail.
SUGGESTED QUESTIONS: What are we looking for in a QSA company and QSA? Is the organization interested in security or compliance? Does the organization know the difference/distinction? Is the organization looking for an auditor or a partner?
KEY CONSIDERATIONS: Any QSA is certified to simply validate that your organization does, or does not, meet the requirements of the PCI DSS. Some QSAs have the interest, capability and resources to help you establish and maintain compliance. Some QSAs have the interest, capability and resources to help you establish security. Some QSAs are just there to validate your current state. Your organization will need to make this decision and determination based on the answers to the above questions.
When your organization is ready to start interviewing QSA companies and QSA’s – consider asking and/or exploring the following:
BACKGROUND OF QSA & QSA COMPANY
SUGGESTED QUESTION: Has your QSA company ever been in remediation?
KEY CONSIDERATIONS: Organizations will want to know if a QSA company has ever been in remediation to determine if said company has ever been in violation of DSS reporting procedures. Additionally, you can find out if the company has had negative feedback submitted about them. To verify this, visit the PCI SSC website and view the remediation status. Keep in mind that this list is a point-in-time list. If a QSA company has been in remediation and has since fixed those issues, the status will no longer be displayed there.
SUGGESTED QUESTION: In what industries is the QSA company familiar working?
KEY CONSIDERATIONS: Organizations will be better served by using a QSA that has familiarity in their particular industry. Many industries have unique challenges, such as retail (including restaurants and grocers), financial services (including insurance), education, healthcare, and hospitality industries.
If you’re a retailer, make sure the QSA company has experience with retail sales, and that they understand the difference between brick and mortar and online implementations. Likewise, if you’re a service provider, find out if your QSA has worked with managed service providers. QSA’s with industry-specific knowledge will have a deeper understanding and be better equipped to help your organization.
SUGGESTED QUESTION: Does the QSA have a technical background, technical experience or any relevant credentials?
KEY CONSIDERATIONS: All QSA’s must be certified and should have some practical background in Information Technology/Information Security before sitting for the QSA certification exam. Practical experience is important so that when your QSA is assessing your organization, they will understand the technologies being used, and they can give you recommendations that are proven. Additionally they will know which safeguards have a better chance of being effective in your environment.
SUGGESTED QUESTION: Has the QSA company you are considering been audited?
KEY CONSIDERATIONS: Organizations will want to know if the company that they are looking to hire has been audited to see if the Payment Card Industry Security Standards Council (PCI SSC) has graded the company’s Report on Compliance (ROC). If a company has never been audited, the PCI SSC has never graded their quality of work. Proceed with caution.
PROCESSES OF THE QSA AND QSA COMPANY
SUGGESTED QUESTIONS: How responsive is the QSA in responding to issues and questions? How much time should the client expect to receive answers?
KEY CONSIDERATIONS: Organizations will want to know how long they should expect to wait to get a response. A reasonable response wait time should be hours or days; not weeks.
SUGGESTED QUESTION: How does your QSA company establish scope?
KEY CONSIDERATIONS: Scope drives the PCI assessment, it is critical that scope and process for determining scope is understood from the beginning. Segmentation is a critical tool for reducing scope of the cardholder data environment. How will your QSA validate segmentation?
SUGGESTED QUESTIONS: How will information be gathered? What is the process for gathering information?
KEY CONSIDERATIONS: A PCI assessment requires large amounts of information to be gathered. You should look for a QSA that has a defined process for gathering information and can help with the process.
SUGGESTED QUESTIONS: How much guidance can you expect from the QSA? What level of support can the organization expect? Does your QSA understand and have experience in risk management?
KEY CONSIDERATIONS: Some organizations need more hand-holding and guidance than others. Some organizations want to simply “check a box” without the critical thinking component of a seasoned professional that can partner as a security advisor. PCI is becoming more sophisticated and larger merchants are required to implement risk management as part of business as usual processes. QSA’s with risk management expertise are highly sought after and come at a premium. Be sure that the QSA you hire can demonstrate their skill with risk management as this requirement becomes more and more important. Finally, the DSS is constantly changing. You’ll want to find a QSA that will help your organization keep up with evolving changes so that you are never surprised by new requirements.
SUGGESTED QUESTIONS: How independent is your QSA? Are they incented to sell you specific products?
KEY CONSIDERATIONS: Look for independent QSA companies that are interested in finding the right solutions for your individual needs. Some companies sell their own products and may not have your organization’s best interest at heart.
SUGGESTED QUESTIONS: How will the project be managed? Does the QSA have a PMP or experience in managing complex projects?
KEY CONSIDERATIONS: A PCI assessment has many moving parts and significant opportunity for delays. QSAs are not always (or often) effective project managers.What processes currently exist to ensure project success? Ensuring effective project management is half of the battle. Do not underestimate the importance of this skill.
Finding the right QSA is an important decision, especially if you’re looking for a security partner rather than an auditor. Be sure you know where your organization stands with PCI today and what you are looking for before searching for your next QSA. When a QSA and QSA Firm can answer all of the questions outlined above thoroughly and to your satisfaction, consider shortlisting that company. If any Firm hesitates in answering your questions, consider it a red flag and move on. Happy hunting!
CONTRIBUTING AUTHORS: TODD BECKER AND VIVIANA WESLEY