At this point, the industry as a whole is several years into the ubiquitous Payment Card Industry Data Security Standard. Throughout its evolution, the standard has impacted the industry in a variety of ways. One of the most prominent embodiments of the standard is the creation of a sub-industry dealing primarily with helping companies achieve and maintain compliance with the standard. The Qualified Security Assessor (QSA) and the Approved Scan Vendor (ASV) cottage industry is perhaps one of the most tangible impacts on the industry. The QSA and the QSA firm have perhaps been the lightening rod for much of the attention focused on the standard. There is an expectation that one QSA is substantially similar to another, but there can be substantial differences from one QSA to the next. The question, then, is “How do I choose the right QSA?”
There is a saying, “No one ever got fired for hiring (Insert Big Company Name).” Obviously this alludes to the fact that (Insert Big Company Name) is large enough and established enough to meet whatever challenges their customers may face. There is a great deal of validity to that statement, but it does not remove the necessity to perform due diligence. While the size and history associated with a large, well-known company may bring a sense of comfort to many organizations, the converse of that statement is that the company is large enough that their clients may not receive the personalized attention that they desire. Certainly there are companies that have the in-house ability to manage the PCI compliance process with very little guidance and only require a QSA for the validation assessment. For those companies, a larger QSA that only provides assessments and not remediation services may be an appropriate choice. Another case in which larger audit-centric QSA may be a good option is in the instance of a Level 1 merchant that is choosing to self-assess, but does need limited support in the process.
However, for those companies that might need more specialized support a boutique shop might be an excellent choice. In many cases, boutique QSA firms have developed specialized knowledge within the payments industry. They may have a great deal of experience with loyalty card providers or fuel service merchants for example. In that case a company that specializes in loyalty cards may seek out a QSA with that specialized experience. In other words, when you have a cavity you make an appointment with a dentist, not an endocrinologist. There must be a fit between the services that are needed and the services that can be provided by the QSA firm that is selected.
On a related note, the depth of experience within a QSA firm should be vitally important to the selection process. The recent explosion of the PCI DSS cottage industry has resulted in a number of companies seeking to add the QSA designation to their list of services. As a result, there are many QSA firms on the list that have conducted only a handful of assessments. This is not to say that a lack of experience is synonymous with a lack of ability, but the nuances in this industry can catch anyone unawares. This lack of experience can be magnified in dealing with the card brands, acquirers, and the Payment Card Industry Security Standard Council (PCI SSC).
Just as it is important to know the level of experience within a QSA firm, it is also imperative to know how much experience the individual consultant has with conducting PCI DSS assessments. The consultant should not only be a guide through the process, but an advocate for the company, as well. His or her understanding of the standard and its objectives has an enormous impact on the compliance process. Not only should a company know their prospective consultant's overall experience with the PCI DSS, but should have an understanding of the consultant's experience relative to the business model they will be assessing. For example, a QSA that has never assessed a Data Storage Entity (DSE) may not be the best choice for a company that stores cardholder data on behalf of a merchant or service provider. If the prospective consultant does not understand the term “gateway” as defined by Visa, they probably should not be selected to conduct an assessment on a company that facilitates transaction processing for merchants. Of course, these definitions are oversimplified, but the concept can be extrapolated across the industry.
The key message is that no one QSA or QSA firm is the right fit for every company. There is a tendency in the industry to choose the biggest or most well-known firms to conduct assessments, but that might actually be to a company's disadvantage. Nor is it in a
company's advantage to engage a firm based solely upon proximity.
Having someone close by may be helpful in keeping travel costs down, but it may ultimately increase costs if that nearby QSA does not have the experience or expertise that is needed.
During the course of training hundreds of level 1 and 2 merchants over the past two years The Aegenis Group has heard numerous merchants state that they simply “went down the list” and chose the most well known or largest QSA. This method of selection often causes more problems than it solves. It often results in the merchant “re-selecting” a new QSA to finish the engagement. It may be helpful to perceive the QSA not as an adversary (a not uncommon point of
view) but as a member of the compliance team. In that light, the process of QSA selection takes on a different hue. The vetting process becomes more strict and the company itself develops standards and guidelines for the ideal QSA to be engaged.
The following are questions that should be asked when selecting a QSA. To whom are they loyal and what are their specific objectives?
Does the QSA understand their role as an assessor AND an advocate?
Does the QSA appear to have a vested interest in selling products or consulting? Does the QSA understand and have experience with my specific business model and in my specific industry? How many assessments has the QSA conducted and what is their record of success?
When searching for a QSA, it is recommended that that merchants and service providers ask the “hard questions”.
All QSA's have attended PCI SSC sponsored training and should be able to explain the basic concepts of the PCI DSS and related documents in depth. To gauge the skill level and knowledge of the QSA being evaluated it is recommended that companies ask them to explain the following concepts:
What guidance can the QSA provide to minimize the effort and cost associated with compliance?
They should be able to provide insight into minimizing the scope of the assessment by removing cardholder data and employing proper segmentation.
Under what conditions can compensating controls be used and what are some examples of compensating controls that the QSA has recommended in the past for (insert the requirement you may be struggling with)?
The QSA should be able to describe in detail the concepts of compensating controls and specific controls recommended in the past.
(One word of warning: A QSA that says they have never used compensating controls should give you pause.)
What is the QSA’s process for working as an advocate with the acquirer/card brand in instances where compensating controls must be used?
If the QSA has limited or no experience interfacing with the major acquirers or card brands, they likely have had limited experience with the PCI DSS.
What is the process for remediation?
If the QSA has a 'cut and run' strategy in which they leave you with a laundry list of issues to fix and are not willing to provide at least minimal guidance, then you may want to look elsewhere.
Ask the QSA to describe a situation in which they were at odds with their client and how it was resolved.
Any QSA that has worked on more than a hand full of level 1 assessments has had differences with clients over interpretation or implementation. You want to understand the QSA's process for working through issues that may be challenging. If the QSA is simply going to dig their heels in on every difference of opinion then it may be best to look for another QSA.
Though this may be a case of “preaching to the converted,” the important lesson is that the cost of following the pack for PCI DSS compliance often outweighs the benefits. Each company must determine their own path to compliance. This includes selecting a QSA. The process should be similar to bringing on a full-time employee.
Companies must do their due diligence to ensure that the QSA firm is the right fit, not just the biggest name.