0

TOP 5: Choosing a right QSA

The market of Qualified Security Assessors (‘QSAs’) has grown rapidly since the introduction of PCI DSS version 1.0 back in 2005. The article aims to help companies to pick the right QSA.

1. Focus your search on individuals you would like to work with, rather than the QSA company itself. All QSA companies have been vetted by the PCI SSC. It is down to your preferences, whether you prefer smaller or larger QSA company. There are pros and cons of working with both, which is beyond the scope of this article.

2. Use social networks, such as LinkedIN, Facebook, Twitter to gather background information about those individuals you want to work with. Ensure that they have enough experience to be able to help your company. Study their credentials and previous employment records. There are plenty of QSAs out there, who do not have an awful lot of technical expertise. PCI DSS it is a technical standard and one has to be technically sound in order to be able to assess an environment thoroughly.

3. A QSA should be helpful. Most of the time, the initial PCI DSS meeting turns into long relationship. Yes, the primary objective of the final PCI DSS assessment is to assess the company. However, there are lots of work required pre and post assessment. You don’t want to work with someone, who has a “tick box” approach and is not willing to provide additional advice or recommendation.

4. A knowledgeable QSA will save your money. By making correct decisions and recommendations, skilled QSA will help you design and maintain the network in the compliant, but most importantly secure way. I see too often, where companies spend thousands of pounds on technologies, which they have to redesign or even scrap during the PCI DSS assessment.

5. Search for a QSA with experience in technologies you use in your company. It is very difficult for any QSA to assess technologies he is not familiar with. If you just deployed 100 new F5 Load Balancers, ensure that the QSA has enough expertise to assess them correctly.

Lets don’t forget that PCI DSS is a technical standard, which if executed correctly, it provides multiple layers of security controls to your organizations. If your company falls into scope for PCI DSS, you may as well design the network and deploy right technologies from day one, rather than just tick boxes to meet PCI DSS requirements.
In order to achieve the above, you need to find a knowledgeable security consultant, who will not only assess your company but also provide advice to make your network more secure.

Jake Eliasz

Jake is a Chartered Lead Security Consultant with over 15 years' experience in Information Technology. Jake has performed many consultative engagements for retail, banking and government sectors in the EMEA region. Jake is currently focused on designing security controls, PCI DSS, PA DSS, ethical hacking and security risk/compliance. Prior to working for NCC Group, Jake worked as a Lead Security Consultant - QSA (Ambersail), Security Specialist (CreditCall) and Security Analyst (Symantec), where he was designing, implementing and managing various security controls for large, distributed networks. Jake has graduated from the University of Plymouth with the MSc degree in Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *