Most people would rather have root canal without novocaine than be interviewed by a QSA for a PCI Report on Compliance. Maybe it makes your palms all sweaty and your stomach a ball of knots. Relax. As long as you can provide the how, what, where, why, and how of the PCI requirements you’re responsible for, you got this.

Here’s 10 tips to help you breeze through your interview and make you look like a company super star among your peers.

Tip #1

Plan for a good morning the night before your interview.

  • Get a good night’s sleep.
  • Exercise or stretch to get your blood flowing.
  • Eat breakfast.
  • Hydrate.

Tip #2

Know your PCI requirements.

If, for example, you’re responsible for the firewalls and routers in the cardholder data environment, know and understand the PCI DSS requirements, sub requirements, testing procedures and the proof you’re required to provide in Requirement Area 1: Build and Maintain a Secure Network and Systems.

Tip #3

Be Proactive

If you’re not sure of the questions or if you’d like to practice your interview, schedule time with your ISA or PCI program manager and walk through your interview questions until you are comfortable and confident.

The more you practice your interview the better you’ll be able to breeze through your time with the QSA.

Tip #4

Be Prepared

At your scheduled interview time, have your system set up to run through any observations of processes, actions, or state. For a requirement to be “in place,” often a QSA not only needs to interview you but also, the QSA needs to observe real time configuration settings.

You may be asked to provide screen shots of observations as those will be sufficient evidence that the QSA has observed whatever they’re required to observe during your interview.

Tip #5

The interview is not a closed book test.

Whew!

Bring your run book or standard operating procedures and any process documentation that you follow for PCI compliance.

Yes, it’s okay to bring your reference material…and your lucky rabbit’s foot.

Tip #6

Bring your manager

If this is your first QSA interview, moral support is a good thing. If you’re unsure of how to respond to a question or you have a brain skip, your manager can respond. 

When in doubt, invite your manager or a colleague to tag along!

Tip #7

Bring a good attitude

No doubt, PCI is burdensome and adds to your workload. However, as long as your company accepts payment cards from its customers, your company is legally and contractually obligated to comply with the PCI DSS. 

The interview will be over before you know it.

TIp #8

Submit your interview evidence in a timely manner

Submit your observed configurations, processes, actions, etc., as soon as the interview is completed to your ISA or program manager. 

Tip #9

Anticipate follow ups.

Just when you think you’re done, you get a call or email from your ISA because the QSA needs a few more things from you.

Relax and breathe. There’s a number of reasons why they may need something extra from you.

  • The QSA may have forgotten to ask for a configuration setting during the interview
  • You may have forgotten to submit a screen shot
  • The Report on Compliance is in QA and the QSA feels additional evidence is required before they can mark a requirement as “in place.” 

Tip #10

Smile

Your interview takes less than 90 minutes and often may take as little as 15 minutes. 

Still need help? Request a call back. We can help prepare you for your interviews with the QSA!


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

5 PCI Compliance Headaches You Can Live Without

If PCI Compliance were easy, every organization would be doing it, right?

But it’s not.

The sad statistic from the most recent Verizon Payment Security Report is that 57% of all merchants fail to sustain PCI DSS Compliance.

Why?

There are so many reasons. Where do we start?

Let’s start with the 5 PCI Compliance headaches everyone can live without.

15 Sep 2023

PCI Compliance Essentials For Everyone In Your Organization

In PCI Compliance Essentials we’re dropping serious nuggets of wisdom to help organizations get everyone from system administrators, incident response handlers, billing, C-level executives and everyone else who has a piece of the PCI pie ON THE SAME PAGE and speaking THE SAME LANGUAGE.

4 Smart Ways To Stop Overcomplicating PCI Compliance

You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?

You know that saying, “objects appear bigger in the rearview mirror,” right?

When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.

Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.

Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.

Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)

PCI Compliance doesn’t have to be complicated.

Here’s 4 smart ways to stop overcomplicating your PCI Compliance program:

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading