How to choose a PCI DSS QSA Auditor!!

Don’t choose the lowest bidder when you are seeking the best QSA to do your onsite PCI DSS audit.  This is not an article to inflate the costs of validating your compliance program, but instead intended to LOWER the cost of the PCI onsite audit.

While giving training this week on PCI DSS a great conversation developed where we outlined what should be strongly considered when hiring a QSA for the business.  Below captures the conversation that will surely continue:

  • Selecting a QSA auditor should be done in partnership with the Internal Audit team, the Technology leadership, and the Relationship manager (or person charged with ‘owning’ the payment transactions within the business).

There is not a lacking of audit firms that are willing to do the work so a witling process is necessary:

  • Consider geographic location – you want one that is local or has resources local so you can have plenty of face time without incurring burdensome travel expenses
  • Consider the firms experience in YOUR line of business – request a specific client reference that you can speak with before signing an agreement
  • Request that the firm explicitly list the auditor by name / certifications on the contract to ensure you can compare equivalent contract proposals
  • Require a process flow on how INTERPRETATIONS will be approached, and their process for handling disagreements with these interpretations.  Remember the QSA is charged with the subjective portion of determing the controls to be valid, so you need to be sure there is a process with reasonable qualifications on both sides of the table to ensure you have a workable process
  • Require a breakdown of how they will handle prior QSA work.  Will they use it; will they accept it; what will cause prior work to be considered non-compliant?

Please consider these practices along with your existing mature vendor vetting process.  Today is Day 2 of the PCI DSS training here in Atlanta, so I will add any additional insights as they come up.


James DeLuccia IV

6 responses to “How to choose a PCI DSS QSA Auditor!!

  1. Pingback: Network Security Blog » PCI related blogging

  2. Pingback: PCI Blog - Compliance Demystified » Blog Archive » News roundup

  3. Pingback: Choosing a PCI DSS Auditor? Does WMQ awareness count?

  4. Also how many successful ROC’s issued in a year. Any rejected ROC’s with PCI council, turnover of QSA in vendors firm? Experience with compensating controls.

  5. Pingback: QSA Liability – CardSystems and court precedence « Payment Card Security & IT Controls Explained

  6. Pingback: Audits - How to Select a Topnotch IT Security Auditor - Active Screening

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s