How to Choose a PCI QSA

As of writing this article, there are currently 378 PCI QSA Companies worldwide that are certified by the PCI Council. That is quite a selection to narrow your choices. So what do you look for in good qualities to partner with? What attributes do you form that basis on? Throughout this blog, we are going to be talking about the evaluations you’ll be going through when selecting a good QSA company and the considerations to follow – both the good and bad attributes.

Basic Considerations

To start the evaluation, you need to look at what you require your QSA to be directly certified to provide. Depending on the complexity and international presence your company processes cardholder information, you may need other services outside of a straightforward Report on Compliance (RoC). Here are a few that you need to consider.

Regional Submission

PCI has QSA companies register with different regions (USA, Canada, Europe, Asia Pacific, etc.). This means that if your organization, for example, has a merchant bank in both the USA and Canada, and they both require Report on Compliance submissions, then you would need a QSA company that is registered for both regions.

Language Support

Sometimes in different remote parts of the world, you need to have an assessor speak the local language of the country. The PCI Council lists the supported languages on the website in case you have a specific need around this.

Other PCI Components

If your organization needs other PCI certifications, you may seek out a QSA company that also provides those; for example, certifications like point-to-point encryption (P2PE), PA-DSS, Approved Scanning Vendor (ASV), or PCI Forensics Investigator (PFI).

How Well Will They Work with Your Team?

Once you have your specific requirements of a QSA company narrowed down, the next step is to see whether they are the right fit for your organization. You will want to condense your list to about three to five assessors to run through your evaluation process.

Depending on the relationship you want with your QSA, you can adjust the amount of time you review their capabilities. For example, if you are looking to switch QSAs every one or two years and are just looking for someone to perform a successful audit, you may choose to spend less time in the evaluation. However, if you are looking for more of a long-term partner in the field, someone you can bounce questions off all year, it is recommended to employ a longer process to ensure a proper fit so that you will not have to repeat the evaluation within the next three years, at least.

You should ask your friends and peers in the industry about their experiences, whether good or bad, with different QSA companies. Sending a note across LinkedIn may also be an excellent way to garner input from good potential partners, or QSAs to avoid altogether.

Experience

Ask the QSA company about their experience within the PCI industry to review how new they are to the industry. Most businesses will intermix veterans in the space with senior resources to optimize pricing and quality for the organizations they serve. A junior resource may be involved in your project but should never be leading the quality of the project.

The organization should ask for a list of QSAs within the company and a short bio that would be capable of leading the project for the organization. Review this and ask any follow-up questions that you may have on the individuals until you feel comfortable about the skill set the company brings.

Methodology and Timelines

Review with the QSA company exactly how they perform a QSA assessment. These include getting information on:

  • What are the major phases of the project?
  • Describe the timing between the phases?
  • Are there any prerequisites that need to be complete before to perform the on-site portion of the engagement?
  • Describe the evidence collection process and the means of delivery? What is the timing commitment from the QSA company to review the evidence and deem satisfactory or not?
  • What are the commitments held to for your organization, and by when, to guarantee an on-time delivery?
  • When all evidence is in, and the RoC is completed, how long does it take to go through the quality assurance process?
  • Are there commitments to status updates on the assessment process?

Gather all this information and compare to your top choices. Some QSA companies are very strict in timing and evidence collection. Some of these activities may even add more time to your team, so understand this and the pricing to compare accurately.

Trusted Partner or Auditor

Another component of separation between QSA companies is how flexible they are with questions and other concerns that you want to engage them on. Certain companies will not talk with you outside of a signed change order. This can be frustrating, especially if you are engaged with them on a multi-year contract, and you are trying to ascertain their opinion of a process that will be under scope in the coming year review.

Ask the QSA company about their policies around this. Ideally, they should be open to having any conversation or answering questions to a reasonable extent. For example, if you are implementing a new process in accepting cardholder information or have questions about future PCI requirements, they should be willing to have a conversation about these aspects.

Avoiding Negative Attributes

Conflicting Advice

One of the most prominent problems within the PCI industry is QSAs conflating their opinions into the standard. For example, there have been cases where I have seen QSA companies issue the opinion that Unix systems are “commonly affected” systems with malware, as according to requirement 5.1, even though there is clear guidance suggesting otherwise.

There are many more examples of this, where these companies are looking at it to set the security baselines, rather than looking at this assessment as a framework. The good QSA companies will make a clear distinction between their security recommendation and what they need from you to be compliant with the standard.

Another situation I have seen companies run into is QSAs from the same company conflicting on remediation appropriateness. So, while you work nine months on a solution to comply with some PCI requirements, a new QSA comes in from the same company and essentially tells you that the solution is not appropriate for the environment. To avoid this, ask if the company has a documented stance on some of the “grey” areas with the standard. This would include items like: What constitutes commonly affected systems for malware?; How long do you have to remediate findings with a risk-based determination?; and What is considered the card-holder data environment? If they do not, ask the QSA company how they ensure to keep their own QSA interpretations uniform across the company. If they have something documented, then they should be willing to share that with your organization, as it should not be a mystery as to how they are reviewing your organization.

Bait and Switch

Another common tactic in the consulting arena is the bait and switch method, where they dangle their best consultant with all the credentials there are to have, only to realize that when the engagement starts you are left with the intern fresh out of college. To avoid this, ask before the start of the engagement who will be on your project, and feel free to object or ask for someone more qualified. Also, if you think that your environment requires advanced knowledge of a particular technology, like encryption or mainframes, ask for a list of available consultants that would fit that need. Most organizations will reassign resources as needed, as long as you are flexible to the start date of the engagement.

Dealing with Bad QSAs

Unfortunately, there isn’t a lot you can do when you run into a bad QSA. However, here are a few things you could do to alleviate the problems you are currently having with the assessor.

First, if you are arguing over scope or the applicability of controls, try to root your point in facts from the PCI Council or other reputable sources (NIST, ISO, etc.). Check out the Guidance documents they have on their portal for more information on the way the PCI Council intents the controls to be implemented. Also reference their online FAQs, as there are many clarifications and stances they document there.

Next, you may wish to escalate this within the QSA company structure. Sometimes you may just be dealing with one miseducated QSA and including some of their peers or managers may clear up the situation. Getting a meeting together to talk about the problem, armed with your facts, may help you clarify the issue.

If you have helpful resources from another QSA company, you may want to reach out to them to get their opinion if you are having problems. Sometimes a different perspective will help you solidify your ideas and get the facts you need to have the conversation with your QSA company.

Also, whatever the outcome of the above, you may also wish to leave feedback to the PCI Council about the QSA. If you look up the QSA on the portal, you can submit detailed feedback about problems or a negative situation. This may trigger the QSA company coming under scrutiny from the PCI Council, especially if there are repeat instances of the complaint.

Getting It Right Can Make a Huge Difference

The market is definitely crowded with certified QSA companies, and with this, there is a shortage of competent, qualified individuals running them. However, it all comes down to mainly two things:

  • the people involved
  • the process to support the Report on Compliance

The company then is just a reflection of how well this is implemented. Do your homework, interview the people that will be involved, and get a good understanding on both what the expectations of the process are going forward, as well as the QSA’s stance on critical grey areas within the standard. And keep in mind that this all has no bearing on the size of the company per se. If you do all this, be assured that you will find the right partner in the PCI industry for a long time to come.

Justin Leapline

Author: Justin Leapline

Justin Leapline has over 20 years of experience involving system administration, software development, and information security. His core skills include regulatory and contractual compliance within the information security realm, security program management, and general governance practices and frameworks. Before joining TrustedSec, Justin consulted with numerous Fortune 1000 companies in the areas of information systems, audit, governance and information security. He has also led the governance and security practices for leading eCommerce and large financial services companies. Additionally, Justin has spoken at numerous conferences concerning risk management, payment card industry (PCI), and general information security practices.