Don’t choose the lowest bidder when you are seeking the best QSA to do your onsite PCI DSS audit. This is not an article to inflate the costs of validating your compliance program, but instead intended to LOWER the cost of the PCI onsite audit.
While giving training this week on PCI DSS a great conversation developed where we outlined what should be strongly considered when hiring a QSA for the business. Below captures the conversation that will surely continue:
- Selecting a QSA auditor should be done in partnership with the Internal Audit team, the Technology leadership, and the Relationship manager (or person charged with ‘owning’ the payment transactions within the business).
There is not a lacking of audit firms that are willing to do the work so a witling process is necessary:
- Consider geographic location – you want one that is local or has resources local so you can have plenty of face time without incurring burdensome travel expenses
- Consider the firms experience in YOUR line of business – request a specific client reference that you can speak with before signing an agreement
- Request that the firm explicitly list the auditor by name / certifications on the contract to ensure you can compare equivalent contract proposals
- Require a process flow on how INTERPRETATIONS will be approached, and their process for handling disagreements with these interpretations. Remember the QSA is charged with the subjective portion of determing the controls to be valid, so you need to be sure there is a process with reasonable qualifications on both sides of the table to ensure you have a workable process
- Require a breakdown of how they will handle prior QSA work. Will they use it; will they accept it; what will cause prior work to be considered non-compliant?
Please consider these practices along with your existing mature vendor vetting process. Today is Day 2 of the PCI DSS training here in Atlanta, so I will add any additional insights as they come up.
James DeLuccia IV