Do Your Palms Sweat When It Comes Your PCI DSS Interview?

Maybe your stomach aches or does a few belly flips. The QSA is going to interview you about how you do what you do as it pertains to PCI DSS Compliance.

Ugh. I know. You’d probably prefer a root canal.

PCI DSS Compliance interviews make the documentation and evidence gathering seem so much easier and a lot less stressful.

No worries, though. Here’s 10 tips to help you be successful and breeze through that inquisition…I mean your PCI DSS Compliance interviews!

Interview Tip #1

Plan for a good morning the night before your interview.

  • Get a good night’s sleep.
  • Exercise or stretch to get your blood flowing.
  • Eat breakfast.
  • Hydrate.

Interview Tip #2

Know your PCI requirements.

If, for example, you’re responsible for the firewalls, routers, and other network security controls (NSCs) in the cardholder data environment, know and understand the PCI DSS requirements, sub requirements, testing procedures and the proof you’re required to provide in Requirement Area 1: Build and Maintain a Secure Network and Systems.

Interview Tip #3

Be Proactive

If you’re not sure of the questions or if you’d like to practice your interview, schedule time with your ISA or PCI program manager and walk through your interview questions until you are comfortable and confident.

The more you practice your interview the better you’ll be able to breeze through your time with the QSA.

Interview Tip #4

Be Prepared

At your scheduled interview time, have your system set up to run through any observations of processes, actions, or state. For a requirement to be “in place,” often a QSA not only needs to interview you but also, the QSA needs to observe real time configuration settings.

You may be asked to provide screen shots of observations as those will be sufficient evidence that the QSA has observed whatever they’re required to observe during your interview.

 

Interview Tip #5

The interview is not a closed book test.

Whew!

Bring your run book or standard operating procedures and any process documentation that you follow for PCI compliance.

Yes, it’s okay to bring your reference material…and your lucky rabbit’s foot.

Interview Tip #6

Bring your manager

If this is your first QSA interview, moral support is a good thing. If you’re unsure of how to respond to a question or you have a brain skip, your manager can respond. 

When in doubt, invite your manager or a colleague to tag along!

Interview Tip #7

Adopt a great attitude

No doubt, PCI is burdensome and adds to your workload. However, as long as your company accepts payment cards from its customers, your company is legally and contractually obligated to comply with the PCI DSS. 

The interview will be over before you know it.

Interview Tip #8

Submit your interview & observation evidence in a timely manner

Submit your observed configurations, processes, actions, etc., as soon as the interview is completed to your ISA or program manager. Observation evidence are screen shots that are dropped into a Word document. This document needs to include the name of the person interviewed, the requirements observed, and the current date. 

Download These Tips Today!

Interview Tip #9

Anticipate follow ups

Just when you think you’re done, you get a call or email from your ISA because the QSA needs a few more things from you.

Relax and breathe. There’s a number of reasons why they may need something extra from you.

  • The QSA may have forgotten to ask for a configuration setting during the interview
  • You may have forgotten to submit a screen shot
  • The Report on Compliance is in QA and the QSA feels additional evidence is required before they can mark a requirement as “in place.” 

Interview Tip #10

Smile

Your interview takes less than 90 minutes and often may take as little as 15 minutes. 

And remember, this is a conversation not an interrogation.

While all these tips are awesome for the SMEs and technologists who must endure being in the hot seat, there’s one more tip you don’t want to miss. Especially if you want to save $$$$$.

Save $$$$$ With This Bonus Tip!

If you’re a member of our PCI Compliance Toolkit, you can download our handy Consolidated Interview and Observation Schedule. 

Not only will this save upwards of 100 assessment hours but it could save you $20k-$30k in assessment work. 

Not a member of our PCI Compliance Toolkit? Not to worry. You can order our time saving schedule in our Digital Download shop.

Who doesn’t want to reduce stress and save $$$$? Trust us. Your SMEs and QSAs will thank you!


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

Firewalls and Routers: How to Take Control of Unruly Firewall Rules, Configurations and Network Connections

Best Practice: Developers and system administrators request changes to firewall rule sets all the time. Whether it’s to do work on system components or test system components, these changes can make a mess out of your rule sets. It’s so easy for someone to unintentionally request an “any” rule which is prohibited in the cardholder data environment. Our best advice is to insert your ISA or someone on the compliance team into the firewall rule change review.

5 PCI Compliance Headaches You Can Live Without

If PCI Compliance were easy, every organization would be doing it, right?

But it’s not.

The sad statistic from the most recent Verizon Payment Security Report is that 57% of all merchants fail to sustain PCI DSS Compliance.

Why?

There are so many reasons. Where do we start?

Let’s start with the 5 PCI Compliance headaches everyone can live without.

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading