How To Choose a PCI DSS QSA Auditor

Don’t choose the lowest bidder when you are seeking the best QSA (Qualified Security Assessor) to do your onsite PCI DSS audit. We’re not trying to inflate the costs of validating your compliance program but instead intended to LOWER the total cost of the PCI onsite audit.

We often have ongoing conversations on what to consider in an audit. While the PCI DSS standard hasn’t changed in a while, business is always changing, and we need to be mindful of that change when audit time comes around. Below we capture the essence of theses conversations, that will undoubtedly continue:

Selecting a QSA auditor should be done in partnership with the Internal Audit team, the Technology leadership, and the Relationship manager (or person charged with ‘owning’ the payment transactions within the business).

There are no lack of firms willing and capable of performing a qualified audit. However, we still recommend a detailed vetting process:

• Consider geographic location – you want one that is local or has resources local so you can have plenty of face time without incurring burdensome travel expenses
• Consider the firms experience in your line of business – request a specific client reference that you can speak with before signing an agreement
• Request that the firm explicitly list the auditor by their name and certifications on the contract to ensure you can compare equivalent contract proposals
• Require a process flow on how interpretations are approached, and their process for handling disagreements with these interpretations. Remember, the QSA is responsible with the subjective portion of determining the controls to be valid, so you need to be sure there is a process with reasonable qualifications on both sides of the table to ensure you have a workable process
• Require a breakdown of how they will handle prior QSA work. Will they use it; will they accept it; what will cause previous work to be considered non-compliant?

Please consider these practices along with your existing mature vendor vetting process. PCI DSS training is an ongoing process. Be sure your team is up to date and consistently sharing anything new they encounter.