• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
IVR Technology Group

IVR Technology Group

  • solutions
    • Voice Surveys:
      Real-time customer feedback
    • Payments:
      Automated payments by phone & text
    • Outbound:
      Omnichannel outbound campaigns
    • Self-Service:
      Customer Engagement Automation
  • resources
    • Webinar Replay
      Customer Feedback Maturity Model
    • Guidebook
      Customer Feedback Maturity Model
    • eBook
      Automated Voice Surveys
    • eBook
      Automated Payments by Phone
  • about
    • About Us
    • Security First
    • Careers
    • Our Valued Partners
  • contact
  • blog

How To Choose a PCI DSS QSA Auditor

Don’t choose the lowest bidder when you are seeking the best QSA (Qualified Security Assessor) to do your onsite PCI DSS audit. We’re not trying to inflate the costs of validating your compliance program but instead intended to LOWER the total cost of the PCI onsite audit.

We often have ongoing conversations on what to consider in an audit. While the PCI DSS standard hasn’t changed in a while, business is always changing, and we need to be mindful of that change when audit time comes around. Below we capture the essence of theses conversations, that will undoubtedly continue:

Selecting a QSA auditor should be done in partnership with the Internal Audit team, the Technology leadership, and the Relationship manager (or person charged with ‘owning’ the payment transactions within the business).

There are no lack of firms willing and capable of performing a qualified audit. However, we still recommend a detailed vetting process:

  • Consider geographic location – you want one that is local or has resources local so you can have plenty of face time without incurring burdensome travel expenses
  • Consider the firms experience in your line of business – request a specific client reference that you can speak with before signing an agreement
  • Request that the firm explicitly list the auditor by their name and certifications on the contract to ensure you can compare equivalent contract proposals
  • Require a process flow on how interpretations are approached, and their process for handling disagreements with these interpretations. Remember, the QSA is responsible with the subjective portion of determining the controls to be valid, so you need to be sure there is a process with reasonable qualifications on both sides of the table to ensure you have a workable process
  • Require a breakdown of how they will handle prior QSA work. Will they use it; will they accept it; what will cause previous work to be considered non-compliant?

 

Please consider these practices along with your existing mature vendor vetting process. PCI DSS training is an ongoing process. Be sure your team is up to date and consistently sharing anything new they encounter.

 

about the author

Bill Irvine
CMO, IVR Technology Group

An avid User Experience Evangelist and design junkie, Bill oversees all things marketing, design, and social media for IVR Technology Group. When he’s not doing that, he “unplugs” as a gentleman farmer, carpenter, and executive chef to his wife.

Security and Compliance

Primary Sidebar

IVR Best Practices For 2024

In Customer Service, Speed Is Everything

Demystifying Conversational AI For Customer Self-Service

The Impact Of Self-Service IVR On Contact Centers

What Customers Expect From Self-Service

Footer


IVR Technology Group
HEADQUARTERS
  65 Lawrence Bell Drive, Suite 102
  Amherst, New York 14221
  1-716-250-2800
Important Links
Contact Us
Security
Privacy Policy
Privacy Choices
compliance

© 2025 · IVR Technology Group, LLC · all rights reserved