Decrypting QSA Qualifications in a Diluted Market Place

Monday, November 21, 2011

Andrew Weidenhamer


One of the biggest challenges I have seen for organizations going through PCI On-Site Assessments, is how to determine which 3rd party QSA company to use. 

With 120 and growing QSA companies certified to perform On-Site Assessments in the USA, there is not an easy answer, unless of course price is the only consideration.  Unfortunately, sometimes this is the case. 

However, if price is not the only consideration, below are two items to consider, as well as some potential questions that organizations should be asking to potential vendors to, at the very least, attempt to decipher qualifications.

Determine Relationship

First and foremost, the biggest complaint I hear from organizations is the impersonal relationship which occurs between the QSA and the subject organization, either during or after the On-Site Assessment. Most times, there are items which have to be remediated after the On-Site Assessment. 

In this case, the subject organization must have access to the QSA on a somewhat real time basis, as typically there is a deadline in which these items need to be remediated and guidance is necessary. 

Secondly, after compliance is achieved, a strong relationship will ensure that the client is being updated on any new changes or guidance to the PCI standard.  This is necessary to avoid 11th hour situations. 

Some potential questions to ask to determine what type of relationship to expect are below:

  • How many projects will our QSA be working on at a single time?
  • What will the average SLA be on communication from our specific QSA?
  • Is any guidance or updates provided after the On-Site Assessment is complete?


The second biggest concern I hear from organizations is, "Our QSA wasn't able to answer our question or didn’t appear to be knowledgeable."  It's pretty obvious why this is a concern. 

Many times what will happen, is that consulting companies will sell with an experienced, seasoned QSA and then deliver with staff or less knowledgeable individuals.  This becomes pretty clear early in the assessment and can cause a serious headache for organizations. 

If you hear your QSA say, "I'll get back to you on that" in regard to interpretation on control requirements, there may be a problem.  Typically, this means that the QSA is contacting more experienced QSAs within the organization to get clarification.  In addition, less experienced QSAs use the black and white approach to assessments. 

There is no room for interpretation or movement for a specific control requirement.  This inability to understand the business, the real intent of the requirement, and to properly make risk based decisions can seriously impact an organization from not only an operational standpoint, but pretty significantly from a financial standpoint. 

This is especially true if new technology must be introduced in order to meet the control requirement.  Some potential questions to ask to determine experience are below:

  • How many On-Site Assessments has our QSA performed?
  • How many years of security experience does our QSA have?
  • What level (i.e., junior, staff, senior) of consultant will be performing our On-Site Assessment?

To summarize, if upfront assessment cost is not the only concern for determining what company to use as your QSA company, then qualifying questions need to be asked to determine which company is best equipped and suited to handle the PCI compliance needs of an organization. 

In a sea of QSA companies, which in the future will become an ocean, failure to ask these questions can result in potentially unnecessary business, operational, and financial impact.

Cross-posted from SecureState

Possibly Related Articles:
Information Security
PCI DSS Management QSA Assessments Service Level Agreement Remediation vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.