Warning: Not All QSA’s Are Created The Same

Working with QSA’s since 2011, I realized that not all QSA’s are created the same. Some QSA’s have been working in the PCI DSS Compliance space for a few years, some as long as the PCI DSS program has been around. While others may have just passed their QSA exam and really don’t know what they’re doing when it comes to assessing a merchant for compliance.

Wouldn’t it be great if every QSA you met was created the same? They all go to the same training, they must all meet the same qualifications, and they all take the same test. So why aren’t all QSA’s created the same?

I’ve run into some really good QSA’s and I’ve run into QSA’s that have no business assessing another entity for compliance. Learn to spot the QSA’s you can rely on and trust. There’s always a few bad apples and you’ll need to recognize them right away.

10 Qualities To Look For In A Good QSA

1. Your QSA must have an in depth knowledge of the current version of the PCI DSS and supporting guidance documentation and FAQs.
2. Your QSA must understand how requirements loop together and are interdependent.
3. Your QSA must have a technical skill set to review technical evidence such as configuration settings, firewall rules, access control lists, etc.
4. Your QSA must have integrity.
5. Your QSA must work well under tight deadlines.
6. Your QSA must be personable and have the ability to communicate well with C-level executives as well as technical subject matter experts.
7. Your QSA must approach challenges in your cardholder data environment with a sense of curiosity and ask questions to help resolve issues.
8. Your QSA must act as your partner in the assessment and not your adversary.
9. Your QSA must have good interviewing skills and be able to put technical subject matter experts at ease. Interviews during the assessment are a conversation, not an inquisition.
10. Above all else, your QSA must be trustworthy.

Normally, it’s been my experience to work with a team of QSA’s. My top 10 qualities are based on two very real QSA’s that I not only enjoyed working with but I also learned a lot while working with them. As an ISA, one of the best things I learned to cultivate was to be curious and ask lots of questions. “Can you tell me a little bit more about that [implementation, configuration, issue, etc.]?” became one of my favorite questions to ask.

Not All QSA’s Are Created the Same: 10 Qualities To Be Weary Of In A QSA

What about the not so good QSA’s? I’m the first one to give anyone the benefit of the doubt. Similar to a new TV series when the first one or two episodes are bad, I’ll stick with it hoping it gets better. Most of the time, it does. But sometimes….it doesn’t.

1. The “rules lawyer” or as I like to call them, Owls. Remember the Owl in Winnie-the-Pooh? Owl is a know-it-all who knows next to nothing. A QSA who is Owl-like will split hairs with you on a particular requirement regardless of whether you’ve met the intent of the requirement.
2. The new QSA. You may need to take them under your wing, but it’s not your responsibility to train them on how to be a QSA.
3. The QSA who attempts to conduct a PCI DSS interview from Starbucks. True story, it happened and I had to stop the interview.
4. The QSA who has difficulty communicating PCI guidance or intent to C-level staff and technical subject experts. Speak up and make it known.
5. The QSA who routinely strays out of PCI DSS bounds. Out of normal curiosity, it happens. However, your job as the ISA is to keep the assessment within the bounds of PCI DSS requirements.
6. The QSA who struggles with the interpretation and intention of the PCI DSS Requirements. True story, I once had a QSA ask to see the CPE’s of incident responders. I asked him where the DSS required that. He pointed to 12.10.4. I told him periodic training was all that’s required and he had copies of all the incident responders certifications.
7. The QSA who treats you with disrespect and as an adversary.
8. The QSA who”fudges” things in your Report on Compliance. For real, that happened.
9. The QSA who does not come prepared to meetings and / or interviews with subject matter experts.
10. The QSA who does not return your calls or emails in a reasonable time frame.

While not all QSA’s are the created the same, there are qualities to look for in a top notch QSA firm and there are qualities to avoid as much as possible.

Don’t just close your eyes and pick your QSA from the list of QSAs the PCI SSC provides, interview them. Be curious and ask them questions based on real scenarios in your cardholder data environment. Your QSA will play a role in the success of your PCI DSS Compliance program.

And remember, your PCI DSS Compliance is not the responsibility of your QSA. It’s yours. Their job is to assess how you met the security requirements spelled out in the PCI DSS.

While it’s the QSA’s responsibility to assess your security controls, it’s your cardholder data environment and you not only own the security controls but the entire assessment process as well.

If you need help getting started, we’ve got several resources that will help you provide an accurate scope assessment, manage your Report on Compliance from beginning to end, and save at least 100 hours with a consolidated interview and observation schedule.

Want to dive deeper? Join us November 10 for Demystifying Continuous PCI Compliance for Finance, IT, and GRC!