The market of Qualified Security Assessors (‘QSAs’) has grown rapidly since the introduction of PCI DSS version 1.0 back in 2005. The article aims to help companies to pick the right QSA.
1. Focus your search on individuals you would like to work with, rather than the QSA company itself. All QSA companies have been vetted by the PCI SSC. It is down to your preferences, whether you prefer smaller or larger QSA company. There are pros and cons of working with both, which is beyond the scope of this article.
2. Use social networks, such as LinkedIN, Facebook, Twitter to gather background information about those individuals you want to work with. Ensure that they have enough experience to be able to help your company. Study their credentials and previous employment records. There are plenty of QSAs out there, who do not have an awful lot of technical expertise. PCI DSS it is a technical standard and one has to be technically sound in order to be able to assess an environment thoroughly.
3. A QSA should be helpful. Most of the time, the initial PCI DSS meeting turns into long relationship. Yes, the primary objective of the final PCI DSS assessment is to assess the company. However, there are lots of work required pre and post assessment. You don’t want to work with someone, who has a “tick box” approach and is not willing to provide additional advice or recommendation.
4. A knowledgeable QSA will save your money. By making correct decisions and recommendations, skilled QSA will help you design and maintain the network in the compliant, but most importantly secure way. I see too often, where companies spend thousands of pounds on technologies, which they have to redesign or even scrap during the PCI DSS assessment.
5. Search for a QSA with experience in technologies you use in your company. It is very difficult for any QSA to assess technologies he is not familiar with. If you just deployed 100 new F5 Load Balancers, ensure that the QSA has enough expertise to assess them correctly.
Lets don’t forget that PCI DSS is a technical standard, which if executed correctly, it provides multiple layers of security controls to your organizations. If your company falls into scope for PCI DSS, you may as well design the network and deploy right technologies from day one, rather than just tick boxes to meet PCI DSS requirements.
In order to achieve the above, you need to find a knowledgeable security consultant, who will not only assess your company but also provide advice to make your network more secure.