Most people would rather have root canal without novocaine than be interviewed by a QSA for a PCI Report on Compliance. Maybe it makes your palms all sweaty and your stomach a ball of knots. Relax. As long as you can provide the how, what, where, why, and how of the PCI requirements you’re responsible for, you got this.

Here’s 10 tips to help you breeze through your interview and make you look like a company super star among your peers.

Tip #1

Plan for a good morning the night before your interview.

  • Get a good night’s sleep.
  • Exercise or stretch to get your blood flowing.
  • Eat breakfast.
  • Hydrate.

Tip #2

Know your PCI requirements.

If, for example, you’re responsible for the firewalls and routers in the cardholder data environment, know and understand the PCI DSS requirements, sub requirements, testing procedures and the proof you’re required to provide in Requirement Area 1: Build and Maintain a Secure Network and Systems.

Tip #3

Be Proactive

If you’re not sure of the questions or if you’d like to practice your interview, schedule time with your ISA or PCI program manager and walk through your interview questions until you are comfortable and confident.

The more you practice your interview the better you’ll be able to breeze through your time with the QSA.

Tip #4

Be Prepared

At your scheduled interview time, have your system set up to run through any observations of processes, actions, or state. For a requirement to be “in place,” often a QSA not only needs to interview you but also, the QSA needs to observe real time configuration settings.

You may be asked to provide screen shots of observations as those will be sufficient evidence that the QSA has observed whatever they’re required to observe during your interview.

Tip #5

The interview is not a closed book test.


Bring your run book or standard operating procedures and any process documentation that you follow for PCI compliance.

Yes, it’s okay to bring your reference material…and your lucky rabbit’s foot.

Tip #6

Bring your manager

If this is your first QSA interview, moral support is a good thing. If you’re unsure of how to respond to a question or you have a brain skip, your manager can respond. 

When in doubt, invite your manager or a colleague to tag along!

Tip #7

Bring a good attitude

No doubt, PCI is burdensome and adds to your workload. However, as long as your company accepts payment cards from its customers, your company is legally and contractually obligated to comply with the PCI DSS. 

The interview will be over before you know it.

TIp #8

Submit your interview evidence in a timely manner

Submit your observed configurations, processes, actions, etc., as soon as the interview is completed to your ISA or program manager. 

Tip #9

Anticipate follow ups.

Just when you think you’re done, you get a call or email from your ISA because the QSA needs a few more things from you.

Relax and breathe. There’s a number of reasons why they may need something extra from you.

  • The QSA may have forgotten to ask for a configuration setting during the interview
  • You may have forgotten to submit a screen shot
  • The Report on Compliance is in QA and the QSA feels additional evidence is required before they can mark a requirement as “in place.” 

Tip #10


Your interview takes less than 90 minutes and often may take as little as 15 minutes. 

Still need help? Request a call back. We can help prepare you for your interviews with the QSA!

Build Clean Keep Clean: The Secret Sauce to Maintain Continuous PCI DSS Configuration Compliance

The founders of Payment Card Assessments know all to well what it’s like to receive a scan report with over 2,000 configuration failures, a standards team that didn’t communicate changes to the scanning team, and an implementation team that had no idea what they were supposed to do to an in-scope asset before it went into production. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.