Society of Payment Security Professionals - Payment Security Blog » Blog Archive » Meet Your PCI Auditor

Meet Your PCI Auditor - part 2

January 9th, 2007 by datasecurity Posted in QSA

Due to the high interest in the prior post on PCI auditors (and the laughing we received), here is some actually useful information. Many people who are looking for an assessor look first to the list of Qualified Security Assessors (QSA) [PDF] because companies must use on of these vetted companies to perform their audit.

(Level 1 merchants are permitted to perform the audit using internal resources, but the report must be signed off by an officer of the corporation. Of the 25% of merchants who take this path, almost all of them simultaneously contract outside help their first few years.)

When examining the list you may find it a daunting task of sifting through the many companies to find one that will provide you the best value for your money. Here is a list of tips to help you find the best one for you.

Communicate with your acquiring bank or processor. Your acquirer/processor cannot directly recommend one company (or they should not for liability reasons) but they can tell you what company they have strategic partnerships with, who they rely upon for advice, and who performs the most audits.
Just because they do the most work does not mean they are best for you. Many companies like to tout themselves as doing the most volume in the industry, but that only means they probably don’t have time for you (because they are already handling so many projects.) Look for a local company or one you feel you will get more hands on care from.
Ask your friends. (The corollary to this is: if you don’t have friends go to ETA and MRC.) Ask others for their experience with different firms and use that to promote or demote the company on your list of potential advisers.
Interview them. It is not uncommon for a company to “interview” their potential QSA adviser by asking them several key questions you have been wondering regarding pivotal issues such as: liability, scoping & sampling, franchise scope, how to handle retail stores, etc. If they can’t answer these questions then move on down the list.
Learn from their scoping questions. How much a consultant understands any project can be quickly identified in how well they can scope it for pricing. If you are a merchant with 2,000 retail outlets ask them how many they will sample. Better yet, let them ask you questions and be wary of anyone wanting to sample too much. Did they ask how many data centers you have? Did they ask how many computer you have or did they specify how many of them store credit card data? It’s important that your assessor understand the scope is limited to certain systems.
Examine their partners. Ask what key-vendors they partner with. If they partner with companies that sell expensive products you can be sure that part of their recommendation will be for you to implement that product. There are some “pure play” companies on the list, but very few. Some companies say that they, “partner with all the security vendors to get you the best price regardless of vendor.” Sometimes this is good for you and sometimes good for them. Proceed with caution. Also, beware the “pure play” as they cannot offer you discounted products. (This is a double edged sword.)
Do not let cost justify 100% of your decision. Don’t go with the low-cost provider unless you want low cost service. This does not apply to all parties and is (sometimes) inversely proportional to the high-cost provider. Ask for references and see if they do work for other companies like yours. If you are a retail company then ask for retail references; same goes for travel & entertainment, higher education, food services, etc.
Know what they know. Unfortunately, the PCICo sponsored classes are only offered to registered QSA companies and their employees. We suggest getting the next best thing taught by the same person who taught your assessor!