Most people would rather have root canal without novocaine than be interviewed by a QSA for a PCI Report on Compliance. Maybe it makes your palms all sweaty and your stomach a ball of knots. Relax. As long as you can provide the how, what, where, why, and how of the PCI requirements you’re responsible for, you got this.
Here’s 10 tips to help you breeze through your interview and make you look like a company super star among your peers.
Plan for a good morning the night before your interview.
- Get a good night’s sleep.
- Exercise or stretch to get your blood flowing.
- Eat breakfast.
Know your PCI requirements.
If, for example, you’re responsible for the firewalls and routers in the cardholder data environment, know and understand the PCI DSS requirements, sub requirements, testing procedures and the proof you’re required to provide in Requirement Area 1: Build and Maintain a Secure Network and Systems.
If you’re not sure of the questions or if you’d like to practice your interview, schedule time with your ISA or PCI program manager and walk through your interview questions until you are comfortable and confident.
The more you practice your interview the better you’ll be able to breeze through your time with the QSA.
At your scheduled interview time, have your system set up to run through any observations of processes, actions, or state. For a requirement to be “in place,” often a QSA not only needs to interview you but also, the QSA needs to observe real time configuration settings.
You may be asked to provide screen shots of observations as those will be sufficient evidence that the QSA has observed whatever they’re required to observe during your interview.
The interview is not a closed book test.
Bring your run book or standard operating procedures and any process documentation that you follow for PCI compliance.
Yes, it’s okay to bring your reference material…and your lucky rabbit’s foot.
Bring your manager
If this is your first QSA interview, moral support is a good thing. If you’re unsure of how to respond to a question or you have a brain skip, your manager can respond.
When in doubt, invite your manager or a colleague to tag along!
Bring a good attitude
No doubt, PCI is burdensome and adds to your workload. However, as long as your company accepts payment cards from its customers, your company is legally and contractually obligated to comply with the PCI DSS.
The interview will be over before you know it.
Submit your interview evidence in a timely manner
Submit your observed configurations, processes, actions, etc., as soon as the interview is completed to your ISA or program manager.
Anticipate follow ups.
Just when you think you’re done, you get a call or email from your ISA because the QSA needs a few more things from you.
Relax and breathe. There’s a number of reasons why they may need something extra from you.
- The QSA may have forgotten to ask for a configuration setting during the interview
- You may have forgotten to submit a screen shot
- The Report on Compliance is in QA and the QSA feels additional evidence is required before they can mark a requirement as “in place.”
Your interview takes less than 90 minutes and often may take as little as 15 minutes.
Still need help? Request a call back. We can help prepare you for your interviews with the QSA!